SPOOF: Simple Pixel Operations for Out-of-Distribution Fooling

TL;DR

This paper demonstrates that modern deep neural networks, including transformers, remain highly vulnerable to simple, efficient black-box fooling attacks that generate high-confidence misclassifications with minimal modifications.

Contribution

The authors introduce SPOOF, a minimalist and efficient black-box attack method that produces high-confidence fooling images with minimal pixel changes, revealing persistent vulnerabilities.

Findings

Transformers like ViT-B/16 are highly susceptible to fooling.

SPOOF achieves high-confidence misclassifications with fewer queries.

Retraining with fooling images offers limited resistance.

Abstract

Deep neural networks (DNNs) excel across image recognition tasks, yet continue to exhibit overconfidence on inputs that bear no resemblance to natural images. Revisiting the "fooling images" work introduced by Nguyen et al. (2015), we re-implement both CPPN-based and direct-encoding-based evolutionary fooling attacks on modern architectures, including convolutional and transformer classifiers. Our re-implementation confirm that high-confidence fooling persists even in state-of-the-art networks, with transformer-based ViT-B/16 emerging as the most susceptible--achieving near-certain misclassifications with substantially fewer queries than convolution-based models. We then introduce SPOOF, a minimalist, consistent, and more efficient black-box attack generating high-confidence fooling images. Despite its simplicity, SPOOF generates unrecognizable fooling images with minimal pixel modifications and drastically reduced compute. Furthermore, retraining with fooling images as an additional class provides only partial resistance, as SPOOF continues to fool consistently with slightly higher query budgets--highlighting persistent fragility of modern deep classifiers.