What if Adversarial Samples were Digital Images?

Benoît Bonnet, Teddy Furon, Patrick Bas
2020 Proceedings of the 2020 ACM Workshop on Information Hiding and Multimedia Security  
Although adversarial sampling is a trendy topic in computer vision, very few works consider the integral constraint: The result of the attack is a digital image whose pixel values are integers. This is not an issue at first sight since applying a rounding after forging an adversarial sample trivially does the job. Yet, this paper shows theoretically and experimentally that this operation has a big impact. The adversarial perturbations are fragile signals whose quantization destroys its ability
more » ... o delude an image classifier. This paper presents a new quantization mechanism which preserves the adversariality of the perturbation. Its application outcomes to a new look at the lessons learnt in adversarial sampling. CCS CONCEPTS • Security and privacy → Domain-specific security and privacy architectures; Intrusion/anomaly detection and malware mitigation; Malware and its mitigation; We denote by J ⊂ [ ] the (complementary) subset of indices whose quantization depends on . It is defined as: We assume that this subset is not empty. Sect. 5.2 empirically shows that J gathers around three fourths of the pixels.
doi:10.1145/3369412.3395062 dblp:conf/ih/BonnetFB20 fatcat:m2wila7l5jhjrmlk3ehz47mcaa