Imperceptible Adversarial Attack on Deep Neural Networks from Image Boundary

TL;DR

This paper introduces a novel adversarial attack method that manipulates image boundaries to fool deep neural networks with high success and imperceptibility, revealing new insights into AE construction.

Contribution

It proposes a boundary-focused adversarial attack that effectively exploits DNN boundary attention, a novel perspective in AE research.

Findings

Achieves 95.2% success rate with only 32% of image content.

High average peak signal-to-noise ratio of 41.37 dB indicating imperceptibility.

Boundary manipulation significantly influences DNN attention and attack success.

Abstract

Although Deep Neural Networks (DNNs), such as the convolutional neural networks (CNN) and Vision Transformers (ViTs), have been successfully applied in the field of computer vision, they are demonstrated to be vulnerable to well-sought Adversarial Examples (AEs) that can easily fool the DNNs. The research in AEs has been active, and many adversarial attacks and explanations have been proposed since they were discovered in 2014. The mystery of the AE's existence is still an open question, and many studies suggest that DNN training algorithms have blind spots. The salient objects usually do not overlap with boundaries; hence, the boundaries are not the DNN model's attention. Nevertheless, recent studies show that the boundaries can dominate the behavior of the DNN models. Hence, this study aims to look at the AEs from a different perspective and proposes an imperceptible adversarial attack that systemically attacks the input image boundary for finding the AEs. The experimental results have shown that the proposed boundary attacking method effectively attacks six CNN models and the ViT using only 32% of the input image content (from the boundaries) with an average success rate (SR) of 95.2% and an average peak signal-to-noise ratio of 41.37 dB. Correlation analyses are conducted, including the relation between the adversarial boundary's width and the SR and how the adversarial boundary changes the DNN model's attention. This paper's discoveries can potentially advance the understanding of AEs and provide a different perspective on how AEs can be constructed.