Almost for Free: Crafting Adversarial Examples with Convolutional Image Filters

TL;DR

This paper introduces a simple, efficient method for creating adversarial examples using optimized edge detection filters, revealing neural networks' vulnerability to such attacks.

Contribution

It proposes a novel approach using classic image filters for adversarial attacks, achieving high success rates with minimal parameters and computational effort.

Findings

3x3 filters achieve 30-80% success rates across neural networks.

The approach reduces parameters by five orders of magnitude compared to generative models.

Learned filters exhibit high transferability and resemble classic image filters.

Abstract

Adversarial examples in machine learning are typically generated using gradients, obtained either directly through access to the model or approximated via queries to it. In this paper, we propose a much simpler approach to craft adversarial examples, drawing inspiration from insights of explainable machine learning. In particular, we design \emph{adversarial image filters} that are based on classic edge detection algorithms but optimized to deceive learning models. The resulting untargeted attacks are transferable and require only a single pass over the input. Empirically, we find that 3x3 filters already enable success rates between 30% and 80% on different neural networks. Compared to related approaches using generative models for crafting adversarial examples, we reduce the number of parameters by five orders of magnitude, resulting in a very efficient attack. When investigating the parameters of the learned filters, we observe interesting properties such as a high transferability between models and structures common to classic image filters. Our results provide further insights into the vulnerability of neural networks and their fragility to malicious noise.