One-Index Vector Quantization Based Adversarial Attack on Image Classification

TL;DR

This paper introduces a novel VQ domain adversarial attack that modifies a single index in compressed images, effectively causing misclassification with minimal perturbation, applicable in semi-black-box scenarios.

Contribution

It presents the first one-index attack method in the VQ domain, leveraging differential evolution to efficiently generate adversarial images with limited modifications.

Findings

Achieves 55.9% attack success on CIFAR-10

Achieves 77.4% attack success on Fashion MNIST

Maintains high misclassification confidence with low perturbation

Abstract

To improve storage and transmission, images are generally compressed. Vector quantization (VQ) is a popular compression method as it has a high compression ratio that suppresses other compression techniques. Despite this, existing adversarial attack methods on image classification are mostly performed in the pixel domain with few exceptions in the compressed domain, making them less applicable in real-world scenarios. In this paper, we propose a novel one-index attack method in the VQ domain to generate adversarial images by a differential evolution algorithm, successfully resulting in image misclassification in victim models. The one-index attack method modifies a single index in the compressed data stream so that the decompressed image is misclassified. It only needs to modify a single VQ index to realize an attack, which limits the number of perturbed indexes. The proposed method belongs to a semi-black-box attack, which is more in line with the actual attack scenario. We apply our method to attack three popular image classification models, i.e., Resnet, NIN, and VGG16. On average, 55.9% and 77.4% of the images in CIFAR-10 and Fashion MNIST, respectively, are successfully attacked, with a high level of misclassification confidence and a low level of image perturbation.