Affiliation:
1. Southwest Petroleum University
Abstract
Abstract
Recent studies in the vulnerability of deep neural networks in the field of image classification has aroused the interest of designing various kinds of attacks, which play a role in probing the security issues of deep neural network models. Though existing white-box attacks can offer strong attacks, most of them are vulnerable to human inspection. While some attacks are stealthy and imperceptible, their damaging effect is weakened. In this work, we propose a novel approach of crafting adversarial samples to reconcile the attack effectiveness and the imperceptibility. In particular, instead of attacking all image channels adopted in existing methods, we aim at specific color channel and the local region related to classification, wherein adversarial perturbations are exerted. In order to fool human visual system, we propose an improved bilinear interpolation approach to camouflage adversarial samples with enhanced resolution. The experiments on three benchmark datasets (MNIST, CIFAR10, IMAGENET-10) demonstrate that, compared to several strong attack methods, our model strikes a better balance between attack strength and human inspection. Moreover, the adversarial samples created by our method are more effective than those generated by the comparison methods in improving the robustness of the base classification model.
Publisher
Research Square Platform LLC