Adversarial RAW: Image-Scaling Attack Against Imaging Pipeline

TL;DR

This paper introduces an adversarial attack targeting the RAW-to-RGB image processing pipeline, capable of producing images that appear normal but are maliciously altered after scaling, considering both gradient-available and gradient-unavailable ISP pipelines.

Contribution

It develops a novel image-scaling attack against ISP pipelines, including a proxy model for gradient-unavailable scenarios, enhancing attack applicability and effectiveness.

Findings

High attack success rates against target ISP pipelines.

Effective attack in both gradient-available and gradient-unavailable settings.

Demonstrates vulnerability of imaging pipelines to adversarial RAW data.

Abstract

Deep learning technologies have become the backbone for the development of computer vision. With further explorations, deep neural networks have been found vulnerable to well-designed adversarial attacks. Most of the vision devices are equipped with image signal processing (ISP) pipeline to implement RAW-to-RGB transformations and embedded into data preprocessing module for efficient image processing. Actually, ISP pipeline can introduce adversarial behaviors to post-capture images while data preprocessing may destroy attack patterns. However, none of the existing adversarial attacks takes into account the impacts of both ISP pipeline and data preprocessing. In this paper, we develop an image-scaling attack targeting on ISP pipeline, where the crafted adversarial RAW can be transformed into attack image that presents entirely different appearance once being scaled to a specific-size image. We first consider the gradient-available ISP pipeline, i.e., the gradient information can be directly used in the generation process of adversarial RAW to launch the attack. To make the adversarial attack more applicable, we further consider the gradient-unavailable ISP pipeline, in which a proxy model that well learns the RAW-to-RGB transformations is proposed as the gradient oracles. Extensive experiments show that the proposed adversarial attacks can craft adversarial RAW data against the target ISP pipelines with high attack rates.