Color Channel Perturbation Attacks for Fooling Convolutional Neural Networks and A Defense Against Such Attacks

12/20/2020
by   Jayendra Kantipudi, et al.
IIIT Sri City
0

The Convolutional Neural Networks (CNNs) have emerged as a very powerful data dependent hierarchical feature extraction method. It is widely used in several computer vision problems. The CNNs learn the important visual features from training samples automatically. It is observed that the network overfits the training samples very easily. Several regularization methods have been proposed to avoid the overfitting. In spite of this, the network is sensitive to the color distribution within the images which is ignored by the existing approaches. In this paper, we discover the color robustness problem of CNN by proposing a Color Channel Perturbation (CCP) attack to fool the CNNs. In CCP attack new images are generated with new channels created by combining the original channels with the stochastic weights. Experiments were carried out over widely used CIFAR10, Caltech256 and TinyImageNet datasets in the image classification framework. The VGG, ResNet and DenseNet models are used to test the impact of the proposed attack. It is observed that the performance of the CNNs degrades drastically under the proposed CCP attack. Result show the effect of the proposed simple CCP attack over the robustness of the CNN trained model. The results are also compared with existing CNN fooling approaches to evaluate the accuracy drop. We also propose a primary defense mechanism to this problem by augmenting the training dataset with the proposed CCP attack. The state-of-the-art performance using the proposed solution in terms of the CNN robustness under CCP attack is observed in the experiments. The code is made publicly available at <https://github.com/jayendrakantipudi/Color-Channel-Perturbation-Attack>.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

01/06/2021

DeepPoison: Feature Transfer Based Stealthy Poisoning Attack

Deep neural networks are susceptible to poisoning attacks by purposely p...
06/24/2019

Cross-Channel Correlation Preserved Three-Stream Lightweight CNNs for Demosaicking

Demosaicking is a procedure to reconstruct full RGB images from Color Fi...
12/14/2020

Improving Adversarial Robustness via Probabilistically Compact Loss with Logit Constraints

Convolutional neural networks (CNNs) have achieved state-of-the-art perf...
10/16/2020

Input-Aware Dynamic Backdoor Attack

In recent years, neural backdoor attack has been considered to be a pote...
10/02/2020

Homography Estimation with Convolutional Neural Networks Under Conditions of Variance

Planar homography estimation is foundational to many computer vision pro...
04/12/2021

Double Perturbation: On the Robustness of Robustness and Counterfactual Bias Evaluation

Robustness and counterfactual bias are usually evaluated on a test datas...
01/19/2022

Signal Strength and Noise Drive Feature Preference in CNN Image Classifiers

Feature preference in Convolutional Neural Network (CNN) image classifie...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

The last decade was completely dominated by the deep learning methods to solve the various problems of Computer Vision, Natural Language Processing, Robotics, and others

[28]. Deep learning methods learn the important features from the data automatically in a hierarchical fashion [26]. It has shown very promising performance in various domains, such as computer vision [18], [13], natural language processing [52], [49], health informatics [36], [44]

, sentiment analysis from social media data

[9], [43], etc. However, the recent studies show that the trained deep learning models can be fooled easily by manipulating the test data [10], [31], [7], [50], [53]. Most of the existing fooling techniques are data dependent, whereas we present a data independent color channel perturbation based attack in this paper to fool the trained deep learning models as depicted in Fig. 1.

Figure 1: The illustration of the proposed Color Channel Perturbation (CCP) attacks to fool the CNN for the object recognition. The images are taken from the Caltech256 dataset [11]. The row represents the training over training set, row represents the testing over test set, and row represents the testing over the transformed test set using the proposed CCP attack.

The Convolutional Neural Network (CNN) is a type of neural network designed to incorporate deep learning in the classification of image and video data. The AlexNet was the first popular CNN model developed by Krizhevsky et al. in 2012 [24]

. It won the ImageNet object recognition challenge in 2012 and shown a great improvement

[41]. Inspired from the success of AlexNet, various CNN models have been investigated for object recognition, including VGG [45], ResNet [15], DenseNet [17], etc. The CNN based models have been also proposed for different applications. The Faster R-CNN [39], Single Shot Detector (SSD) [27] and You Only Look Once (YOLO) [38] are proposed for object detection. The Mask R-CNN [14] is designed for segmentation and the MicroExpSTCNN [37] is proposed for micro-expression recognition. The HybridSN [40] is proposed for hyperspectral image classification. There are CNN applications, which include image classification [3]

, face recognition

[47], [48], face anti-spoofing [32], image-to-image transformation [21], [2], and many more.

The basic aim of any CNN is to learn the important features automatically from the training data. The learning of the weights of CNN is generally done using the back propagation technique [22], [6]. Normally, the CNNs are likely to overfit the training data if the complexity of the CNN model is higher than the dataset and proper regularizations are not used. Some common regularization techniques are Dropout [46]

, Batch Normalization

[19], Data Augmentation [33], etc.

Figure 2: Sample images from ( row) original test set of CIFAR10 dataset [23], ( row) transformed using CCP attack with fixed random weight setting, ( row) transformed using CCP attack with variable random weight setting, ( row) transformed using Adversarial attack [10], and ( row) transformed using One-pixel attack [50].

It has been observed in the literature that the trained CNN models can be fooled by modifying the test data using different approaches [10]. Recent studies show that the CNNs are vulnerable to maliciously designed perturbations (i.e., adversarial examples) [31], [7], [30]. Su et al. have generated the differential evolution based One-pixel adversarial perturbations to fool the CNNs [50]. Zhao et al. have introduced a one-step spectral attack (OSSA) using the Fisher information in neural networks [53]. The adversarial transformation using the shape bias property is developed to generate the semantic adversarial examples to fool the CNNs [16]. Joshi et al. have also developed the semantic adversarial attacks using the parametric transformations to fool the CNNs [20]

. Bhattad et al. have developed the texture transfer and colorization based big, but imperceptible adversarial perturbations

[4]

. A functional adversarial attack is also investigated to fool the machine learning models

[25]

. Guo et al. have generated the adversarial images in the low frequency domain

[12]. It is observed in the literature that the adversarial attack is widely explored to fool the CNNs. However, most of the existing methods do not attack the color channels, which is exploited by the proposed color channel perturbation attack.

In order to cope up with the problem of CNNs getting fooled by the synthesized test images, several defense mechanisms and robustness properties of the network have been explored. Billovits et al. have observed that the robust CNNs can be developed for adversarial attack by preserving the L2 norm of the original image in the corresponding adversarial image [5]

. Feng et al. have analyzed the effect of adversarial attacks over a Deep product quantization network (DPQN) for image retrieval

[8]

. Agarwal et al. have used Support Vector Machine as the classifier coupled with the Principal Component Analysis as features for the detection of image-agnostic universal perturbations

[1]. Zheng et al. have utilized the CNN’s intrinsic properties to detect adversarial inputs [54]. Prakash et al. have corrupted the image by redistributing pixel values using pixel deflection to increase the CNN robustness [34]. Raff et al. have shown that, combining a large number of individually weak defenses stochastically yields a strong defense against adversarial attacks [35]. Mao et al. have used the metric learning to produce robust classifiers against adversarial attack [29]. We use data augmentation where new images are created by CCP attack to increase the robustness of the CNN models against CCP attack.

The existing methods focus over the adversarial attacks which use the gradient information and defense mechanism. However, to the best our knowledge the attack due to the color channel perturbation is not studied so far. Thus, in this paper, we introduce a stochastic color channel perturbation (CCP) attack to fool the CNNs as shown in Fig. 1. We also present an analysis of the proposed CCP attack when used in data augmentation during the training of different CNN models over different datasets. Most of the existing image attack strategies have the following two major limitations: (a) they are data dependent and make use of network for attack which limits its applications in unknown scenarios, whereas the proposed attack strategy is independent of data, and (b) they are unable to create variations in the color, whereas the main aim of the proposed approach is to introduce the color perturbations while preserving the semantic meaning. Following are the main contributions of this paper:

  • We propose a new data independent stochastic attack termed as Color Channel Perturbation (CCP) attack.

  • The proposed CCP attack generates the color channels by combining the original color channels with stochastic weights.

  • Unlike other attacks, the proposed CCP attack makes use of the same weights for each pixel of the image, i.e., uniform relative transformation within an image.

  • We show the performance degradation in VGG, ResNet and DenseNet models due to the proposed attack over different benchmark datasets, including CIFAR10, Caltech256 and TinyImageNet.

  • We analyze the performance of the proposed attack over both low and high resolution images.

  • We also train the models with the synthesized images to observe the defense capability when the proposed attack is used as the data augmentation.

The rest of the paper is structured as follows: Section II presents the proposed color channel perturbation attack; Section III is devoted to experimental settings in terms of the CNNs used, datasets used and training settings followed; Section IV illustrates the experimental results and analysis, and finally the conclusions are drawn in Section V.

Figure 3: The histograms of Red, Green and Blue channels computed under No attack, CCP attack with fixed random weight setting, CCP attack with variable random setting, One-pixel attack [50], and Adversarial attack [10] over few images of the test set from ( -

rows) CIFAR-10 dataset

[23] and ( - rows) Caltech-256 dataset [11].

2 Proposed Color Channel Perturbation Attack

Recently, the researchers have observed that the trained Convolutional Neural Network (CNN) can be fooled by attacking the test image. However, the synthesized test image preserves the semantic meaning of the original test image. The performance of the CNN’s giving the correct result for the original test image degrades suddenly over the synthesized test image. Different types of attack methods have been explored in recent days. However, the existing attacking methods fail to utilize the color property of the image.

In this paper, we propose a simple, yet effective Color Channel Perturbation (CCP) attacks on the image data to fool the CNNs. The proposed attack is based on the color property of the image. Any color image () contains three channels, namely Red (), Green (), and Blue () in RGB color space. The proposed CCP attack uses the original color channels (i.e., Red (), Green (), and Blue ()) of the image () to generate the new transformed color channels (i.e., transformed Red (), transformed Green (), and transformed Blue ()) of the transformed image (). Basically, each one of , , and is the weighted combination of , , and and given as,

(1)
(2)
(3)

where

is a scale factor hyperparameter,

is a bias hyperparameter, are the intensity values in Red, Green and Blue channels of input image () of the test set (i.e., where is the number of images in the test set), are the intensity values in Red, Green and Blue channels of the transformed image () corresponding to , , and are the random weights to generate the Red, Green and Blue channels of the transformed image, respectively, corresponding to input image with , where and are the lower and upper limits of random numbers/weights generated, respectively. Note that we use and in the experiments until or otherwise specified. The scale and bias are used to adjust the visual appearance of the generated image.

We propose two schemes of the proposed CCP attack, namely fixed random weight based CCP attack () and variable random weight based CCP attack (). Note that in both the cases, the random weights generated are same for all the pixels of an image to preserve the relative local neighborhood information in the image. However, the random weights for different channels are generated independently in both the cases. In fixed scheme , the random weight generated is same for all the test images, i.e., , and , and . However, in the variable scheme , independent random weights are generated for different test images, i.e., the weights , and , are drawn at random for each image with independently.

The sample images generated using the proposed color channel perturbation (CCP) method in fixed and variable schemes are shown in the and rows, respectively in Fig. 2 corresponding to the original images shown in the row of the same figure. The original sample images are taken from the CIFAR10 dataset [23]. It can be easily seen that the semantic meaning of the images with respect to the underlying objects within the image is preserved in the generated images. Even then there is a significant performance drop in image classification due to the CCP transformation. The color distribution of the output images using fixed scheme is similar (see row) due to the fixed random weights used for all images in this scheme. However, the different color distributions (see row) can be observed in the images generated using variable random weights. The sample images generated using the Adversarial attack [10] and the One-pixel attack [50] are also shown in and rows, respectively. It can be observed that the adversarial and one-pixel attacks try to follow the similar color distributions as in the original images.

The histograms of Red, Green and Blue channels for sample images are illustrated in Fig. 3 by red, green and blue colors, respectively. The sample images in the first three rows and the last three rows are taken from CIFAR10 [23] and Caltech256 [11] datasets, respectively. The sample images in the column are the original images, whereas the images in the other columns are generated using the different transformation approaches. The and columns are corresponding to the proposed CCP attack based transformation under fixed random and variable random settings, respectively. The and columns are corresponding to the One-pixel attack [50] and Adversarial attack [10] based transformations, respectively. The x-axis and y-axis in each plot represent the bin and frequency, respectively. It is noticed from these plots that the proposed CCP attack leads to the variations in the color distributions using both fixed and variable random weight schemes (i.e., 2nd and 3rd columns, respectively) preserving the density distribution of the intensity values. These properties of CCP transformation enforces the different color combinations in the generated image while retaining the visual appearance and semantic meaning of the objects. The histogram plots generated using the One-pixel attack [50] ( column) and Adversarial attack [10] ( row) show that these transformations try to preserve only the density distribution without preserving the color variation.

Figure 4: Different experimental settings used in this work with the proposed CCP attack over training and test sets for the analysis of CNN fooling and robustness.

We generate two transformed test sets using the proposed CCP transformation using the original test set as depicted in the right side in Fig. 4. The two transformed settings used are 1) CCP attack using fixed random weights for all the test examples (i.e., ) and 2) CCP attack using variable random weights for different test examples (i.e., ). The number of images in each transformed test set is same as the original test set. In order to show the impact and defense of CCP attack, we perform the experiments using two training sets, including 1) the original training set having training images without CCP based augmentation and 2) the modified training set having training images with CCP based augmentation as depicted on the left side of Fig. 4.

3 Experimental Setup

In this section, we describe the experimental setup used in the result analysis. First, we discuss about the CNN architectures, including VGG, ResNet and DenseNet. Then we elaborate the datasets, including CIFAR10, Caltech256 and TinyImageNet. Finally, we provide the details of settings for training.

3.1 CNN Architectures Used

In order to show the impact of the proposed CCP attack, the widely used CNN models such as VGG [45], ResNet [15] and DenseNet [17] are employed in the experiments. The VGG network is a deep CNN model with either 16 or 19 learnable layers. In the experiments, the VGG network with 16 layers (i.e., VGG16) is used over CIFAR10 and TinyImageNet datasets, whereas the VGG network with 19 layers (i.e., VGG19) is used over the Caltech256 dataset. The ResNet architecture is built by arranging the residual blocks in a hierarchical order. A residual block transforms an input () to an output () as , where the residual function

consists of two convolution layer and an activation function. The residual model has shown very promising performance with respect to convergence in the training of the deep CNNs, which otherwise fail to converge as it provides the highway for gradient flow through identity mapping. In the experiments, the ResNet56, ResNet18 and ResNet101 models are used over CIFAR10, Caltech256 and TinyImageNet datasets, respectively. We have also used the DenseNet network to observe the performance drop of heavy CNN using the proposed CCP attack. The DenseNet network contains the identity mapping from a layer to all the following layers, thus becomes a complex model. The DenseNet121 model has been used in the experiments over all the datasets.

3.2 Datasets Used

We perform the experiments under image classification framework over three benchmark datasets (i.e., CIFAR10 [23], Caltech256 [11] and TinyImageNet [51]) to observe the effect of the proposed CCP attack. We consider the most popular CIFAR10 dataset111https://www.cs.toronto.edu/ kriz/cifar.html [23] which is widely being used to test the performance of CNNs for image classification. The CIFAR10 dataset consists of images from object categories with images per category. Out of images, images (i.e., images per class) are provided as the test set and remaining images are provided in the training set. Each transformed test set also contains images with images per class. As the CIFAR10 dataset contains the low resolution images (i.e., ), we also use the datasets having better resolution images, like the TinyImageNet dataset having resolution images and the Caltech256 dataset having resolution images. The Caltech256 dataset222http://www.vision.caltech.edu/Image_Datasets/Caltech256/ [11] consists of images from object categories. The of the Caltech256 dataset is used for the training and remaining for the testing purpose. The overall complexity of the Caltech256 dataset is high due to the presence of the larger category sizes, larger category clutter and overall increased difficulty. The benchmark TinyImageNet dataset333https://tiny-imagenet.herokuapp.com/ [51]

is also included in the experiments. The TinyImageNet dataset is a subset of the original ImageNet large-scale visual recognition challenge

[42]. The TinyImageNet dataset contains images in the training set, images in the validation set, and images in the test set with object categories having training images, validation images and test images in each category.

Figure 5: The sample results depicting the effect of the proposed CCP transformations to fool the CNN using DenseNet model [17]. The row shows the image classification results over the sample images from the original test set of CIFAR10 dataset [23]. The and

rows present the classification results of the same images after CCP attack with fixed and variable random weight settings, respectively. The class labels with probability for correct and misclassified classes are also shown. Best viewed in color.

3.3 Training Settings

For all the experiments, the Keras framework with Tensorflow at the backend is used. We have performed the training of ResNet56 over the original training set of CIFAR10 dataset. The model is trained for

epochs with a batch size of . The learning rate is set to , , , , and for epochs, epochs, epochs, epochs, and epochs, respectively. The Adam optimizer [22]

is used with categorical cross-entropy loss function. Following data augmentations are applied during training: normalization with zero mean and unit standard deviation at dataset as well as image level, ZCA whitening with epsilon of

, random rotation from to degree, random shifting (range ) horizontally and vertically, random flipping horizontally and vertically, random shear, random zoom, and random channel shifts. The training of DenseNet121 is carried out over the original training set of CIFAR10 dataset. The model is trained for epochs with learning rate as for the first epochs, for next epochs and for the last epochs. The data augmentations, including random rotation (range ), height and width shifts, horizontal flips, and random zoom (range ), are used during the training. We have also done training of VGG16 over CIFAR10 dataset with data augmentations such as feature and sample normalization, ZCA whitening, height and width shift, horizontal and vertical flip, and random rotation (range ). The learning rate () is varied in each epoch as , where is a factor used to reduce the learning rate.

The transfer learning is utilized for VGG19, ResNet18 and DenseNet121 over the Caltech256 dataset with Adam optimizer

[22] using categorical cross-entropy loss function. The data augmentations used for this training setting are: random rotation from to degree, width and height shift range up to , random shear, random zoom and horizontal flips. For Caltech256 dataset, the Adam optimizer is used with learning rate of and for the first epochs and next epochs, respectively.

Figure 6: The sample results depicting the effect of the proposed CCP transformations to fool the CNN using ResNet18 model [15]. The row shows the image classification results over the sample images from the original test set of Caltech256 dataset [11]. The and rows present the classification results of the same images after CCP attack with fixed and variable random weight settings, respectively. The class labels with probability for correct and misclassified classes are also shown. Best viewed in color.

The VGG16, ResNet101 and DenseNet121 are trained over TinyImageNet with data augmentations like Gaussian blur over of the images with random sigma between to , horizontal and vertical flips, cropping images by to , and affine transformations such as scaling up to to of image/height, translation by to relative to height/width (per axis), rotation by to degrees, shear by to degrees, Coarse Dropout by , and brightness and contrast normalization. For TinyImageNet dataset, the Adam optimizer is used with learning rate of along with cyclic learning rates of , and for epochs, epochs and next epochs, respectively using the categorical cross-entropy loss function.

The training and test sets used for the experiments are summarized in Fig. 4. First, the experiments are performed over the original training images to show the impact of CCP attacks on test set images. Later, the CCP attacked training images are also used in the training set to increase the robustness of the model against the CCP attack on test set images. The settings for training are same for both types of images in the training set with or without the CCP attack. Note that the values of scale and bias in the CCP attack are set to and , respectively, for the CIFAR10 dataset and and , respectively, for the Caltech256 and TinyImagenet datasets for visually appealing generated images.

4 Experiments, Results and Observations

This section is devoted for the experimental results and analysis. First, we show the impact of the proposed CCP attack with qualitative and quantitative results. Then, we compare the results with the existing methods. Finally, we enhance the defense capability of the CNNs using CCP attack based augmentation of training data against such attacks.

4.1 Qualitative Results

The sample results depicting the effect of the proposed CCP transformations to fool the CNN are illustrated in Fig. 5 and Fig. 6. The DenseNet121 model is used over the sample images from CIFAR10 dataset in Fig. 5 and the ResNet18 model is used over the sample images from Caltech256 dataset in Fig. 6. The row, in both Fig. 5 and 6, show the classification results using the images of the corresponding original test set. The and rows, in both Fig. 5 and 6, present the classification results of the corresponding row images after CCP attack with fixed () and variable () random weights, respectively. The class labels along with the probability of classification for correct and misclassified classes are also shown. It can be observed in Fig. 5 that the original image classified in ‘Automobile’ category with confidence gets completely misclassified in ‘Truck’ category after CCP attack using fixed and variable random weights with and confidence, respectively. A very similar misclassification is reported for the other samples as well after CCP attack. The similar trend can also be noticed in Fig. 6 over samples of Caltech256 dataset. The original image of category ‘Chimp’ with probability has been classified as ‘Gorilla’ with and probabilities under fixed and variable settings, respectively. Similarly, the sample image from ‘Gloves’ category with probability is completely misclassified in ‘Yarmulke’ category with and probabilities after and attacks, respectively. Moreover, all of the original input images have been misclassified in other classes with high confidence after CCP attack as shown in Fig. 5 and 6. However, the visual appearance of the original images and attacked images are pretty similar with some color perturbation. It shows that the color plays an important role in decision making by CNN and the current training procedure is not able to exhibit the robustness of CNN for color channel perturbations.

30 Trials VGG16 ResNet56 DenseNet121
Mean 76.49 75.92 78.38 77.58 60.23 56.46
STD 9.16 0.29 7.54 0.29 10.93 0.35
Minimum 53.59 75.20 59.99 76.94 37.77 55.68
Maximum 88.31 76.36 88.55 78.34 77.95 56.99
Original 93.58 91.44 92.72
Table 1: Experimental results in terms of the accuracy () over original CIFAR10 training data and different test sets. Total 30 trials are performed. The and represent the results using the proposed CCP attack with fixed and variable random weight settings, respectively. The STD denotes the standard deviation. The minimum and maximum denotes the max and min accuracy out of 30 trials, respectively. The original refers to the accuracy over original test set.
30 Trials VGG19 ResNet18 DenseNet121
Mean 28.76 28.01 38.01 41.58 38.10 38.56
STD 6.65 0.36 9.60 0.43 5.98 2.25
Minimum 16.14 27.29 14.77 40.89 26.73 32.67
Maximum 40.55 28.80 51.70 42.61 49.32 42.51
Original 50.42 66.73 64.83
Table 2: Experimental results in terms of the accuracy () over original Caltech256 training data and different test sets. Thirty trials are performed.
30 Trials VGG16 ResNet101 DenseNet121
Mean 13.31 14.07 26.09 26.72 30.55 31.09
STD 4.04 0.29 4.81 0.29 4.09 0.25
Minimum 3.34 13.48 12.95 26.21 18.26 27.90
Maximum 20.26 14.70 33.54 27.38 37.86 29.23
Original 42.55 59.19 62.52
Table 3: Experimental results in terms of the accuracy () over original TinyImageNet training data and different test sets. Thirty trials are performed.
Accuracy over CIFAR10 Dataset
Type of Attack VGG16 ResNet56 DenseNet121
Without Attack
One Pixel Attack ( ) ( ) ( )
Adversarial Attack ( ) ( ) ( )
CCP Attack () 76.49 9.16 ( 18.26%) 78.38 7.54 ( 14.28%) 60.23 10.9 ( 35.04%)
CCP Attack () 75.92 0.29 ( 18.87%) 77.58 0.29 ( 15.16%) 56.46 0.35 ( 39.11%)
Accuracy over Caltech256 Dataset
Type of Attack VGG19 ResNet18 DenseNet121
Without Attack
One Pixel Attack ( ) ( ) ( )
Adversarial Attack ( ) ( ) ( )
CCP Attack () 28.76 6.65 ( 42.96%) 38.01 9.60 ( 43.04%) 38.10 5.98 ( 41.23%)
CCP Attack () 28.01 0.36 ( 44.45%) 41.58 0.43 ( 37.69%) 38.56 2.25 ( 40.52%)
Accuracy over TinyImageNet Dataset
Type of Attack VGG16 ResNet101 DenseNet121
Without Attack
One Pixel Attack ( ) ( ) ( )
Adversarial Attack ( ) ( ) ( )
CCP Attack () 13.31 4.04 ( 68.72%) 26.09 4.81 ( 55.92%) 30.55 4.09 ( 51.14%)
CCP Attack () 14.07 0.29 ( 66.93%) 26.72 0.29 ( 54.86%) 31.09 0.25 ( 50.27%)
Table 4: The comparison of results for different attacks on the original CIFAR10, Caltech256 and TinyImageNet test sets using VGG, ResNet and DenseNet Models. The results of the proposed CCP attack are reported under both fixed and variable random weight settings. These results are computed as an average and standard deviation over trials. The impact of the attack is also mentioned in terms of the accuracy drop in % w.r.t. the accuracy without attack. The best and second best improvements are highlighted in Bold and Italic, respectively. The and represent the gain and loss, respectively.

4.2 Experimental Results with Original Training Data

In this experiment, the VGG16, ResNet56 and DenseNet121 models are trained over the original CIFAR10 training set. The performance of trained models is tested over the original CIFAR10 test set as well as the transformed test sets using the proposed color channel perturbation (CCP) attack with fixed and variable random weight settings. We perform thirty trials of the experiment as the weights are generated randomly between and . The average classification test accuracy is reported in Table 9 over different transformed test sets for the models trained over the original training data. The accuracy over original test is also reported in Table 9. The performance in different trials varies in and attack based transformed test sets due to the random weights used in their generation. It can be noted that the average performance degrades significantly after fixed and random weight based CCP attack by and , respectively, using VGG16; and , respectively, using ResNet56; and and , respectively, using DenseNet121. It is also observed that the variable weight generation scheme leads to the lower standard deviation in the results as compared to the fixed weight generation scheme. It is due to the fact that the random weights for all the images are generated independently in each trial of variable setting. Whereas, in a trial of the fixed setting the random weights are same for all the images, thus leading to the high standard deviation in the results.

30 Trials VGG16 ResNet56 DenseNet121
Mean 90.81 90.89 89.00 88.92 88.83 88.67
STD 0.59 0.61 0.35 0.67 0.35 0.12
Minimum 89.16 88.09 88.31 86.63 88.23 88.39
Maximum 91.35 91.43 89.67 89.59 89.48 88.95
Original 91.42 90.15 90.61
Table 5: Experimental results in terms of the accuracy () over CCP augmented CIFAR10 training data and different test sets. Thirty trials are performed.

The experimental results using ResNet18, VGG19 and DenseNet121 are summarized in Table 10 over the Caltech256 dataset. In this experiment, the CNN models are trained over original training set and tested over original as well as different transformed test sets. We perform 30 trials over transformed test sets and present the average classification accuracy with standard deviation (STD) in Table 10. A very similar performance degradation is observed due to the proposed CCP attack over Caltech256 dataset also, in spite of being a high resolution dataset. After applying the CCP transformation with variable random weight setting, the original accuracy of , and using VGG19, ResNet18 and DenseNet121 models gets dropped to , and , respectively. It can also be seen that the standard deviation is lower in variable random weight setting as the weights are generated independently for each image. Note that the impact of the proposed CCP attack is also significant over the high resolution Caltech256 dataset.

30 Trials VGG19 ResNet18 DenseNet121
Mean 40.14 40.07 63.28 63.36 60.93 60.64
STD 3.51 0.25 0.72 0.24 1.54 0.16
Minimum 31.00 39.63 60.72 62.73 57.28 60.35
Maximum 45.18 40.68 64.16 63.69 62.78 61.11
Original 52.57 64.87 62.58
Table 6: Experimental results in terms of the accuracy () over CCP augmented Caltech256 training data and different test sets. Thirty trials are performed.
30 Trials VGG16 ResNet101 DenseNet121
Mean 34.02 33.82 51.87 51.84 55.64 55.49
STD 1.09 0.23 1.05 0.25 1.02 0.23
Minimum 31.90 33.43 49.19 51.38 53.33 54.98
Maximum 35.99 34.47 53.37 52.35 57.21 55.92
Original 43.73 59.65 63.41
Table 7: Experimental results in terms of the accuracy () over CCP augmented TinyImageNet training data and different test sets. Thirty trials are performed.
Accuracy over CIFAR10 Dataset
Type of Attack VGG16 ResNet56 DenseNet121
Without Attack ( ) ( ) ( )
One Pixel Attack ( ) ( ) ( )
Adversarial Attack ( ) ( ) ( )
CCP Attack () ( 18.72%) ( 13.55%) ( 47.48%)
CCP Attack () ( 19.72%) ( 14.62%) ( 57.05%)
Accuracy over Caltech256 Dataset
Type of Attack VGG19 ResNet18 DenseNet121
Without Attack ( ) ( ) ( )
One Pixel Attack ( ) ( ) ( )
Adversarial Attack ( ) ( ) ( )
CCP Attack () ( 39.57%) ( 66.48%) ( 59.92%)
CCP Attack () ( 43.06%) ( 52.38%) ( 57.26%)
Accuracy over TinyImageNet Dataset
Type of Attack VGG16 ResNet101 DenseNet121
Without Attack ( ) ( ) ( )
One Pixel Attack ( ) ( ) ( )
Adversarial Attack ( ) ( ) ( )
CCP Attack () ( 155.60%) ( 98.81%) ( 82.13%)
CCP Attack () ( 140.37%) ( 94.01%) ( 78.48%)
Table 8: The comparison of results for different attacks on the original CIFAR10, Caltech256 and TinyImageNet test sets using VGG, ResNet and DenseNet Models augmented with CCP transformation in the training data. The results of the proposed CCP attack are reported under both fixed and variable random weight settings. These results are computed as an average and standard deviation over trials. The % improvement in accuracy is also mentioned after CCP augmentation of training data w.r.t. the accuracy without training augmentation as presented in Table 4. The best and second best improvements are highlighted in Bold and Italic, respectively. The and represent the gain and loss, respectively.

We also conduct experiments over TinyImageNet dataset using VGG16, ResNet101, and DenseNet121 models and report the results for 30 trials of transformed sets and original test set in Table 11. A similar performance degradation can also be observed using all the models over TinyImageNet dataset. The performance of VGG16, ResNet101, and DenseNet121 is , , and , respectively, over the original test set. The performance of the same networks gets reduced to , and , respectively, over the CCP attacked test set.

The results obtained over CIFAR10, Caltech256 and TinyImageNet datasets using VGG, ResNet and DenseNet models show the high impact on the performance drop of the CNNs using the CCP attack. Moreover, the CPP attack fools the CNNs, irrespective of the image resolution and CNN model. The accuracy obtained over different dataset using different model in each trial is provided as supplementary result.

4.3 Results Comparison with Other Attacks

We also compare the results of the proposed CCP attack with the existing attacks, such as One-pixel attack [50] and Adversarial attack [10]. The untargeted One-pixel attack is easy to perform as it has the impact over selected pixels. However, the adversarial attack involves the addition of the designed noise which is a complex process. The comparison results are reported in Table 4 with respect to the classification accuracy. The % accuracy drop is also mentioned in the results for all the attacks w.r.t. the accuracy without attack. It is noticed that the proposed CCP attacks fool the CNN greatly as compared to the other attacks. The One-pixel attack exhibits the limited impact in terms of fooling the CNN. However, the Adversarial attack is close to the proposed CCP attack. The CCP attack is not data dependent in contrast to the Adversarial attack. Moreover, the CCP attack is much simpler to perform as compared to the Adversarial attack. Moreover, the proposed CCP attack is the first of its kind to exhibit the high performance degradation of the CNNs by simple color perturbations.

4.4 Experimental Results with CCP Augmented Training Data

We also perform the experiments by including the CCP transformed images in the training datasets. The variable random weight setting is used to generate the new training images using the proposed CCP transformation. However, the test sets remain same as in the earlier experiments. The experimental results using different CNN models over the augmented CIFAR10, Caltech256 and TinyImageNet datasets are reported in Table 12, 13 and 14, respectively. The testing is performed over the original test set and CCP attacked test sets. The testing is done for 30 trials. The average and the standard deviation are shown in the results. It can be seen from these results that the robustness of the trained models increase greatly against the CCP attack after adding the CCP transformed images in the training set as compared to the results observed without CCP based augmentation illustrated in Section IV.B. The improvements average performance over 30 trials in % using VGG16, ResNet56 and DenseNet121 models over CIFAR10 dataset (Table 9 vs Table 12) are , and with test sets, respectively, after augmentation in the training set. A slight drop in the performance over the original test set is also noticed using VGG16, ResNet56 and DenseNet121 models as , and , respectively. It is due to the increased generalization of the models for CCP attacked images. However, the improvement over and test sets is more significant than the little drop over original test set. The similar trend is also observed using different models over the Caltech256 (Table 10 vs Table 13) and TinyImageNet (Table 11 vs Table 14) datasets. These results show that augmenting the training set with CCP transformed images increases the defense capability of networks against such attacks over the test data.

4.5 Results Comparison under CCP Augmented Training Data

The comparison results for different attacks over CIFAR10, Caltech256 and TinyImageNet datasets are summarized in Table 8 using different CNN models, when the CCP based augmentation is used during training. The improvement in the accuracy with CCP augmentation over the accuracy without CCP augmentation (i.e., w.r.t. Table 4) is also computed and shown in Table 8. It can be noticed that the accuracies for CCP attack on test data are increased significantly, when CCP augmentation is done across all the datasets during the training of all the models. The highest performance gained by VGG16 is for CCP attack over the TinyImageNet dataset. Moreover, the accuracy for the original test set and other attacks are improved marginally over the TinyImageNet dataset. The performance for all the test sets is also improved with VGG19 over Caltech dataset. The performance under adversarial attack using CIFAR10 dataset over DenseNet121 is increased by .

We also test the performance of different attacks under adversarial attack based augmentation during the training (these results are provided in supplementary). It is revealed that under adversarial data augmentation the performance of adversarial attack improves, whereas the performance of CCP attacks further deteriorates under adversarial attack based augmentation. It shows the suitability of CCP based augmentation against such attacks. It also opens the future research direction to develop the multi-attack representative data augmentation to increase the defense capability of the CNN models.

5 Conclusion

A color channel perturbation (CCP) attack is proposed in this paper to fool the CNN for image classification. The proposed CCP attack is a simple attack and data independent. It uses the Red, Green and Blue channels of the original image to generate the Red, Green and Blue channels of the transformed image. Two transformed test sets are generated based on the fixed and variable random weight schemes. A significant drop is observed in the classification performance over the transformed test sets as compared to the original test set when used with the VGG, ResNet, and DenseNet models over the CIFAR10, Caltech256, and TinyImageNet datasets. The original samples correctly classified with high confidence are incorrectly classified with high confidence after CCP attack. The promising impact of the attack is observed using the proposed CCP attacks as compared to the state-of-the-art One-pixel and Adversarial attacks with respect to the accuracy drop. It is also observed from the histogram analysis that the proposed CCP attack preserves the density distribution, but changes the color contribution. However, the semantic meaning of images generated after the CCP attack is preserved. The proposed CCP attack is also used over the training data to observe the effect of such images over training to enhance the defense capability of CNN models. It is observed that the robustness of the model increases with the CCP transformed images in the training set. The experimental results confirm the high impact of the proposed CCP attack in fooling the CNN in image classification. Results also confirm the enhanced defense capability of the CNN models trained with the augmented training data with such attacks.

Acknowledgment

The authors would like to thank Google for providing the Colaboratory service for the GPU accecerated computation used to compute the results in this paper.

References

  • [1] A. Agarwal, R. Singh, M. Vatsa, and N. Ratha (2018) Are image-agnostic universal adversarial perturbations for face recognition difficult to detect?. In IEEE International Conference on Biometrics Theory, Applications and Systems, pp. 1–7. Cited by: §1.
  • [2] K. K. Babu and S. R. Dubey (2020)

    CDGAN: cyclic discriminative generative adversarial networks for image-to-image transformation

    .
    arXiv preprint arXiv:2001.05489. Cited by: §1.
  • [3] S. S. Basha, S. R. Dubey, V. Pulabaigari, and S. Mukherjee (2020) Impact of fully connected layers on performance of convolutional neural networks for image classification. Neurocomputing 378, pp. 112–119. Cited by: §1.
  • [4] A. Bhattad, M. J. Chong, K. Liang, B. Li, and D. A. Forsyth (2019) Big but imperceptible adversarial perturbations via semantic manipulation. arXiv preprint arXiv:1904.06347. Cited by: §1.
  • [5] C. Billovits, M. Eric, and N. Agarwala (2016) Hitting depth: investigating robustness to adversarial examples in deep convolutional neural networks. Stanford University, Tech. Rep. cs231n-119. Cited by: §1.
  • [6] S. R. Dubey, S. Chakraborty, S. K. Roy, S. Mukherjee, S. K. Singh, and B. B. Chaudhuri (2019) DiffGrad: an optimization method for convolutional neural networks. IEEE Transactions on Neural Networks and Learning Systems. Cited by: §1.
  • [7] G. Elsayed, S. Shankar, B. Cheung, N. Papernot, A. Kurakin, I. Goodfellow, and J. Sohl-Dickstein (2018) Adversarial examples that fool both computer vision and time-limited humans. In Advances in Neural Information Processing Systems, pp. 3910–3920. Cited by: §1, §1.
  • [8] Y. Feng, B. Chen, T. Dai, and S. Xia (2020) Adversarial attack on deep product quantization network for image retrieval.

    AAAI Conference on Artificial Intelligence

    .
    Cited by: §1.
  • [9] X. Glorot, A. Bordes, and Y. Bengio (2011) Domain adaptation for large-scale sentiment classification: a deep learning approach. In International Conference on Machine Learning, Cited by: §1.
  • [10] I. J. Goodfellow, J. Shlens, and C. Szegedy (2015) Explaining and harnessing adversarial examples. In International Conference for Learning Representations, Cited by: Figure 2, Figure 3, §1, §1, §2, §2, §4.3.
  • [11] G. Griffin, A. Holub, and P. Perona (2007) Caltech-256 object category dataset. Technical Report 7694, California Institute of Technology. External Links: Link Cited by: Figure 1, Figure 3, §2, Figure 6, §3.2.
  • [12] C. Guo, J. S. Frank, and K. Q. Weinberger (2018) Low frequency adversarial perturbation. arXiv preprint arXiv:1809.08758. Cited by: §1.
  • [13] Y. Guo, Y. Liu, A. Oerlemans, S. Lao, S. Wu, and M. S. Lew (2016) Deep learning for visual understanding: a review. Neurocomputing 187, pp. 27–48. Cited by: §1.
  • [14] K. He, G. Gkioxari, P. Dollár, and R. Girshick (2017) Mask r-cnn. In IEEE International Conference on Computer Vision, pp. 2961–2969. Cited by: §1.
  • [15] K. He, X. Zhang, S. Ren, and J. Sun (2016) Deep residual learning for image recognition. In

    IEEE Conference on Computer Vision and Pattern Recognition

    ,
    pp. 770–778. Cited by: §1, Figure 6, §3.1.
  • [16] H. Hosseini and R. Poovendran (2018) Semantic adversarial examples. In IEEE Conference on Computer Vision and Pattern Recognition Workshops, pp. 1614–1619. Cited by: §1.
  • [17] G. Huang, Z. Liu, L. Van Der Maaten, and K. Q. Weinberger (2017) Densely connected convolutional networks. In IEEE Conference on Computer Vision and Pattern Recognition, pp. 4700–4708. Cited by: §1, Figure 5, §3.1.
  • [18] A. Ioannidou, E. Chatzilari, S. Nikolopoulos, and I. Kompatsiaris (2017) Deep learning advances in computer vision with 3d data: a survey. ACM Computing Surveys 50 (2), pp. 1–38. Cited by: §1.
  • [19] S. Ioffe and C. Szegedy (2015) Batch normalization: accelerating deep network training by reducing internal covariate shift. arXiv preprint arXiv:1502.03167. Cited by: §1.
  • [20] A. Joshi, A. Mukherjee, S. Sarkar, and C. Hegde (2019) Semantic adversarial attacks: parametric transformations that fool deep classifiers. In IEEE International Conference on Computer Vision, pp. 4773–4783. Cited by: §1.
  • [21] K. B. Kancharagunta and S. R. Dubey (2019) Csgan: cyclic-synthesized generative adversarial networks for image-to-image transformation. arXiv preprint arXiv:1901.03554. Cited by: §1.
  • [22] D. P. Kingma and J. Ba (2015) Adam: a method for stochastic optimization. In International Conference for Learning Representations, Cited by: §1, §3.3, §3.3.
  • [23] A. Krizhevsky (2009) Learning multiple layers of features from tiny images. Master’s thesis, University of Toronto. Cited by: Figure 2, Figure 3, §2, §2, Figure 5, §3.2.
  • [24] A. Krizhevsky, I. Sutskever, and G. E. Hinton (2012) Imagenet classification with deep convolutional neural networks. In Advances in Neural Information Processing Systems, pp. 1097–1105. Cited by: §1.
  • [25] C. Laidlaw and S. Feizi (2019) Functional adversarial attacks. In Advances in Neural Information Processing Systems, pp. 10408–10418. Cited by: §1.
  • [26] Y. LeCun, Y. Bengio, and G. Hinton (2015) Deep learning. Nature 521 (7553), pp. 436–444. Cited by: §1.
  • [27] W. Liu, D. Anguelov, D. Erhan, C. Szegedy, S. Reed, C. Fu, and A. C. Berg (2016) Ssd: single shot multibox detector. In European Conference on Computer Vision, pp. 21–37. Cited by: §1.
  • [28] W. Liu, Z. Wang, X. Liu, N. Zeng, Y. Liu, and F. E. Alsaadi (2017) A survey of deep neural network architectures and their applications. Neurocomputing 234, pp. 11–26. Cited by: §1.
  • [29] C. Mao, Z. Zhong, J. Yang, C. Vondrick, and B. Ray (2019) Metric learning for adversarial robustness. In Advances in Neural Information Processing Systems, pp. 478–489. Cited by: §1.
  • [30] S. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard (2017) Universal adversarial perturbations. In IEEE Conference on Computer Vision and Pattern Recognition, pp. 1765–1773. Cited by: §1.
  • [31] S. Moosavi-Dezfooli, A. Fawzi, and P. Frossard (2016) Deepfool: a simple and accurate method to fool deep neural networks. In IEEE Conference on Computer Vision and Pattern Recognition, pp. 2574–2582. Cited by: §1, §1.
  • [32] C. Nagpal and S. R. Dubey (2019) A performance evaluation of convolutional neural networks for face anti spoofing. In IEEE International Joint Conference on Neural Networks, pp. 1–8. Cited by: §1.
  • [33] L. Perez and J. Wang (2017) The effectiveness of data augmentation in image classification using deep learning. arXiv preprint arXiv:1712.04621. Cited by: §1.
  • [34] A. Prakash, N. Moran, S. Garber, A. DiLillo, and J. Storer (2018) Deflecting adversarial attacks with pixel deflection. In IEEE Conference on Computer Vision and Pattern Recognition, pp. 8571–8580. Cited by: §1.
  • [35] E. Raff, J. Sylvester, S. Forsyth, and M. McLean (2019) Barrage of random transforms for adversarially robust defense. In IEEE Conference on Computer Vision and Pattern Recognition, pp. 6528–6537. Cited by: §1.
  • [36] D. Ravì, C. Wong, F. Deligianni, M. Berthelot, J. Andreu-Perez, B. Lo, and G. Yang (2016) Deep learning for health informatics. IEEE Journal of Biomedical and Health Informatics 21 (1), pp. 4–21. Cited by: §1.
  • [37] S. P. T. Reddy, S. T. Karri, S. R. Dubey, and S. Mukherjee (2019) Spontaneous facial micro-expression recognition using 3d spatiotemporal convolutional neural networks. In IEEE International Joint Conference on Neural Networks, pp. 1–8. Cited by: §1.
  • [38] J. Redmon, S. Divvala, R. Girshick, and A. Farhadi (2016) You only look once: unified, real-time object detection. In IEEE Conference on Computer Vision and Pattern Recognition, pp. 779–788. Cited by: §1.
  • [39] S. Ren, K. He, R. Girshick, and J. Sun (2015) Faster r-cnn: towards real-time object detection with region proposal networks. In Advances in Neural Information Processing Systems, pp. 91–99. Cited by: §1.
  • [40] S. K. Roy, G. Krishna, S. R. Dubey, and B. B. Chaudhuri (2019) Hybridsn: exploring 3-d-2-d cnn feature hierarchy for hyperspectral image classification. IEEE Geoscience and Remote Sensing Letters. Cited by: §1.
  • [41] O. Russakovsky, J. Deng, H. Su, J. Krause, S. Satheesh, S. Ma, Z. Huang, A. Karpathy, A. Khosla, M. Bernstein, et al. (2015) Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115 (3), pp. 211–252. Cited by: §1.
  • [42] O. Russakovsky, J. Deng, H. Su, J. Krause, S. Satheesh, S. Ma, Z. Huang, A. Karpathy, A. Khosla, M. Bernstein, et al. (2015) Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115 (3), pp. 211–252. Cited by: §3.2.
  • [43] A. Severyn and A. Moschitti (2015) Twitter sentiment analysis with deep convolutional neural networks. In 38th International ACM SIGIR Conference on Research and Development in Information Retrieval, pp. 959–962. Cited by: §1.
  • [44] D. Shen, G. Wu, and H. Suk (2017) Deep learning in medical image analysis. Annual Review of Biomedical Engineering 19, pp. 221–248. Cited by: §1.
  • [45] K. Simonyan and A. Zisserman (2014) Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556. Cited by: §1, §3.1.
  • [46] N. Srivastava, G. Hinton, A. Krizhevsky, I. Sutskever, and R. Salakhutdinov (2014) Dropout: a simple way to prevent neural networks from overfitting. The Journal of Machine Learning Research 15 (1), pp. 1929–1958. Cited by: §1.
  • [47] Y. Srivastava, V. Murali, and S. R. Dubey (2019) A performance comparison of loss functions for deep face recognition. In 7th National Conference on Computer Vision, Pattern Recognition, Image Processing and Graphics, Cited by: §1.
  • [48] Y. Srivastava, V. Murali, and S. R. Dubey (2020) Hard-mining loss based convolutional neural network for face recognition. 5th IAPR International Conference on Computer Vision and Image Processing. Cited by: §1.
  • [49] E. Strubell, A. Ganesh, and A. McCallum (2019) Energy and policy considerations for deep learning in nlp. arXiv preprint arXiv:1906.02243. Cited by: §1.
  • [50] J. Su, D. V. Vargas, and K. Sakurai (2019) One pixel attack for fooling deep neural networks.

    IEEE Transactions on Evolutionary Computation

    23 (5), pp. 828–841.
    Cited by: Figure 2, Figure 3, §1, §1, §2, §2, §4.3.
  • [51] L. Yao and J. Miller (2015) Tiny imagenet classification with convolutional neural networks. CS231N 2 (5), pp. 8. Cited by: §3.2.
  • [52] T. Young, D. Hazarika, S. Poria, and E. Cambria (2018) Recent trends in deep learning based natural language processing. IEEE Computational IntelligenCe Magazine 13 (3), pp. 55–75. Cited by: §1.
  • [53] C. Zhao, P. T. Fletcher, M. Yu, Y. Peng, G. Zhang, and C. Shen (2019) The adversarial attack and detection under the fisher information metric. In AAAI Conference on Artificial Intelligence, Vol. 33, pp. 5869–5876. Cited by: §1, §1.
  • [54] Z. Zheng and P. Hong (2018) Robust detection of adversarial attacks by modeling the intrinsic properties of deep neural networks. In Advances in Neural Information Processing Systems, pp. 7913–7922. Cited by: §1.

Supplementary Material

  Paper Title: Color Channel Perturbation Attacks for Fooling Convolutional Neural Networks and A Defense Against Such Attacks
Authors: Jayendra Kantipudi, Shiv Ram Dubey and Soumendu Chakraborty
 

Detailed Experimental Results on Different Trials:
The tables in this supplementary material contain the experimental results for 30 trials under different training settings.

Table 9 presents the experimental results for 30 trials over the original CIFAR10 training set using VGG16, ResNet56 and DenseNet121 models for different CIFAR10 test sets.

Table 10 summarizes the classification accuracy for 30 trials over the original Caltech256 training set using VGG19, ResNet18 and DenseNet121 models for different Caltech256 test sets.

Table 11 presents the experimental results on 30 trials over the original TinyImageNet training set using VGG16, ResNet101 and DenseNet121 models for different TinyImageNet test sets.

Table 12 presents the experimental results for 30 trials over the CCP augmented CIFAR10 training set using VGG16, ResNet56 and DenseNet121 models for different CIFAR10 test sets.

Table 13 summarizes the classification accuracy for 30 trials over the CCP augmented Caltech256 training set using VGG19, ResNet18 and DenseNet121 models for different Caltech256 test sets.

Table 14 presents the experimental results on 30 trials over the CCP augmented TinyImageNet training set using VGG16, ResNet101 and DenseNet121 models for different TinyImageNet test sets.

Table 15 presents the experimental results on 30 trials over the CCP augmented CIFAR10 training set using VGG16, ResNet56 and DenseNet121 models for One-pixel and Adversarial attacked CIFAR10 test sets.

Table 16 presents the experimental results on 30 trials over the CCP augmented Caltech256 training set using VGG19, ResNet18 and DenseNet121 models for One-pixel and Adversarial attacked Caltech256 test sets.

Table 17 presents the experimental results on 30 trials over the CCP augmented TinyImageNet training set using VGG16, ResNet101 and DenseNet121 models for One-pixel and Adversarial attacked TinyImageNet test sets.

Table 18 presents the experimental results on 30 trials over the adversarial augmented training sets using different models for different test sets.

Trials VGG16 ResNet56 DenseNet121
1 64.34 76.03 79.99 77.47 57.44 56.06
2 81.57 75.81 85.41 77.65 66.93 56.59
3 76.11 75.72 81.76 77.44 49.31 56.36
4 79.65 75.86 83.88 77.73 66.89 56.89
5 78.07 76.26 66.50 77.67 57.95 55.83
6 76.07 76.12 88.08 77.49 67.80 56.58
7 70.56 75.90 82.75 77.84 72.65 56.90
8 81.32 76.30 70.72 77.57 73.54 56.09
9 81.69 76.07 81.65 77.09 40.35 55.68
10 86.98 75.82 63.86 77.11 49.48 55.83
11 85.61 76.01 81.99 78.18 60.30 56.34
12 82.99 75.94 65.84 77.86 74.76 56.78
13 80.53 75.81 81.35 77.62 61.96 56.52
14 83.11 76.06 71.17 76.94 73.91 56.71
15 78.18 76.24 79.95 77.28 73.15 56.40
16 85.35 75.98 65.71 77.68 41.66 56.34
17 67.95 76.09 59.99 77.20 54.97 56.20
18 66.60 75.69 82.55 77.44 70.92 56.62
19 77.54 75.76 83.40 77.80 65.61 56.67
20 77.50 75.96 82.37 77.27 43.12 56.11
21 86.76 75.84 74.41 77.61 65.05 56.88
22 58.49 76.24 76.54 77.67 46.09 56.99
23 53.59 75.28 83.01 77.73 37.77 56.52
24 84.70 75.48 86.51 77.76 63.62 55.92
25 71.94 75.91 83.95 78.34 61.00 56.87
26 88.31 75.39 79.84 77.62 62.00 56.78
27 83.03 76.36 80.48 77.37 57.48 56.45
28 66.18 76.25 88.55 77.64 77.95 56.49
29 81.85 76.21 75.42 77.62 57.01 56.64
30 58.17 75.20 83.79 77.72 56.21 56.64
Mean 76.49 75.92 78.38 77.58 60.23 56.46
STD 9.16 0.29 7.54 0.29 10.93 0.35
Minimum 53.59 75.20 59.99 76.94 37.77 55.68
Maximum 88.31 76.36 88.55 78.34 77.95 56.99
Original Accuracy 93.58 91.44 92.72
Table 9: Experimental results in terms of the accuracy () over original CIFAR10 training data and different test sets. Thirty trials are performed using different CNN models, such as VGG16, ResNet56 and DenseNet121. The and represent the results using the proposed CCP attack with fixed and variable random weight settings, respectively. The STD denotes the standard deviation.
Trials VGG19 ResNet18 DenseNet121
1 16.14 28.05 38.94 40.97 38.88 37.67
2 30.65 27.48 27.84 41.66 39.47 36.85
3 31.66 28.33 45.00 40.89 49.32 39.79
4 29.36 28.03 41.24 41.37 44.60 41.40
5 30.71 27.93 22.84 41.98 36.35 39.83
6 22.18 28.06 44.91 41.03 39.54 36.76
7 16.57 28.09 47.12 42.00 30.01 40.98
8 35.49 28.33 47.46 41.66 30.99 40.45
9 33.45 27.87 29.48 41.06 42.19 36.26
10 33.64 28.05 51.70 40.98 36.03 39.67
11 21.73 28.00 33.17 42.61 46.79 38.27
12 40.55 28.54 29.86 41.58 29.99 38.81
13 25.91 28.74 40.28 41.61 42.03 37.22
14 33.94 28.22 41.74 40.89 30.15 42.51
15 20.23 28.01 37.45 41.82 37.16 37.93
16 16.26 28.80 22.31 42.00 47.44 35.97
17 38.64 27.61 46.37 41.16 26.73 37.82
18 33.14 28.24 42.49 42.30 40.04 38.60
19 31.37 28.29 29.62 42.11 42.45 34.51
20 36.10 27.77 28.78 41.95 40.79 37.01
21 26.47 27.90 14.77 41.69 27.77 39.86
22 23.43 27.50 43.70 41.34 38.78 38.41
23 26.31 27.76 49.44 42.04 42.96 39.97
24 28.29 27.29 50.63 41.39 39.76 41.08
25 26.23 28.06 38.93 41.64 34.14 42.35
26 24.24 27.92 22.39 41.56 32.50 40.53
27 38.14 27.90 37.67 41.58 45.50 39.70
28 35.05 27.66 44.12 41.69 31.37 38.54
29 23.82 27.71 40.12 41.14 41.72 35.50
30 33.12 28.22 49.95 41.84 37.46 32.67
Mean 28.76 28.01 38.01 41.58 38.10 38.56
STD 6.65 0.36 9.60 0.43 5.98 2.25
Minimum 16.14 27.29 14.77 40.89 26.73 32.67
Maximum 40.55 28.80 51.70 42.61 49.32 42.51
Original Accuracy 50.42 66.73 64.83
Table 10: Experimental results in terms of the accuracy () over original Caltech256 training data and different test sets. Thirty trials are performed using different CNN models, such as VGG19, ResNet18 and DenseNet121. The and represent the results using the proposed CCP attack with fixed and variable random weight settings, respectively. The STD denotes the standard deviation.
Trials VGG16 ResNet101 DenseNet121
1 15.48 13.76 27.23 26.32 30.10 31.28
2 14.63 13.93 30.26 27.08 33.39 31.41
3 9.34 14.26 21.18 26.49 26.10 31.31
4 14.13 14.39 25.89 26.65 30.63 30.78
5 20.12 13.96 33.48 26.55 36.01 31.07
6 16.36 13.86 30.40 26.21 35.12 31.20
7 13.71 13.68 26.59 26.51 30.72 30.61
8 16.42 13.96 27.35 27.18 31.28 31.09
9 11.07 14.33 24.35 26.95 34.34 31.12
10 10.96 14.64 23.42 27.05 27.39 31.14
11 3.34 13.48 19.07 26.65 26.86 31.10
12 12.65 14.19 25.52 26.71 30.47 30.59
13 13.91 14.11 25.82 27.38 30.05 31.63
14 17.49 14.11 31.96 26.86 36.54 31.41
15 13.58 14.05 26.74 26.55 29.90 31.22
16 7.89 14.38 17.55 26.82 27.84 30.78
17 12.06 13.96 25.28 26.54 28.73 31.42
18 20.26 14.00 32.98 26.36 37.46 30.89
19 13.70 14.09 25.60 26.74 29.45 30.97
20 10.84 13.85 23.65 26.41 27.56 31.09
21 15.30 14.70 28.66 26.84 31.80 31.20
22 9.22 14.49 21.89 26.57 24.70 31.12
23 13.57 14.03 25.29 26.39 30.21 30.58
24 7.76 14.35 21.00 26.58 24.18 31.10
25 12.20 14.30 23.84 27.03 28.06 30.89
26 14.54 13.84 32.75 26.94 34.22 31.06
27 18.70 13.61 31.10 26.59 35.79 31.01
28 19.68 13.91 33.54 27.06 37.00 31.25
29 14.87 13.87 27.25 26.47 30.70 30.97
30 5.56 13.90 12.95 27.15 19.81 31.45
Mean 13.31 14.07 26.09 26.72 30.55 31.09
STD 4.04 0.29 4.81 0.29 4.09 0.25
Minimum 3.34 13.48 12.95 26.21 19.81 30.58
Maximum 20.26 14.70 33.54 27.38 37.46 31.63
Original Accuracy 42.55 59.19 62.52
Table 11: Experimental results in terms of the accuracy () over original TinyImagenet training data and different test sets. Thirty trials are performed using different CNN models, such as VGG16, ResNet101 and DenseNet121. The and represent the results using the proposed CCP attack with fixed and variable random weight settings, respectively. The STD denotes the standard deviation.
Trials VGG16 ResNet56 DenseNet121
1 90.14 90.81 89.14 89.34 89.04 88.54
2 91.18 90.80 88.69 89.33 88.30 88.67
3 91.05 90.43 88.40 89.52 88.43 88.81
4 91.26 91.12 89.00 87.22 89.46 88.78
5 89.16 91.30 89.06 89.38 88.97 88.66
6 90.69 91.29 88.69 88.86 88.49 88.39
7 90.79 91.16 89.33 88.94 88.23 88.88
8 91.04 90.02 89.25 89.26 89.17 88.55
9 91.20 91.19 88.94 89.17 88.40 88.66
10 91.18 91.20 88.34 89.14 88.72 88.60
11 91.34 91.42 88.98 89.44 88.82 88.70
12 89.52 90.78 89.20 89.23 89.19 88.70
13 90.86 91.08 89.15 89.40 88.94 88.95
14 90.87 90.67 89.26 89.15 89.20 88.58
15 91.27 91.38 89.00 86.63 88.64 88.67
16 91.35 91.34 89.14 89.24 88.75 88.75
17 90.98 88.09 89.10 88.91 88.84 88.59
18 91.13 90.89 89.60 88.11 89.48 88.50
19 90.61 91.06 89.01 89.37 89.37 88.72
20 90.97 90.46 88.59 89.44 89.00 88.57
21 90.82 91.43 89.08 89.23 88.65 88.60
22 90.86 91.26 89.16 88.56 89.28 88.68
23 91.34 90.86 89.09 88.44 88.83 88.52
24 91.30 90.89 89.50 89.59 88.49 88.51
25 89.94 91.28 89.67 88.67 88.76 88.67
26 90.97 90.96 89.41 88.90 88.68 88.79
27 90.99 90.87 88.59 88.33 88.33 88.69
28 91.01 91.23 88.43 89.14 89.18 88.71
29 91.19 90.60 88.31 89.43 88.79 88.86
30 89.24 90.89 88.95 88.12 88.34 88.65
Mean 90.81 90.89 89.00 88.92 88.83 88.67
STD 0.59 0.61 0.35 0.67 0.35 0.12
Minimum 89.16 88.09 88.31 86.63 88.23 88.39
Maximum 91.35 91.43 89.67 89.59 89.48 88.95
Original Accuracy 91.42 90.15 90.61
Table 12: Experimental results in terms of the accuracy () over CCP augmented CIFAR10 training data and different test sets. Thirty trials are performed using different CNN models, such as VGG16, ResNet56 and DenseNet121.
Trials VGG19 ResNet18 DenseNet121
1 42.54 40.02 63.39 63.55 60.86 60.48
2 38.73 39.67 63.11 63.53 60.37 60.80
3 39.86 40.12 63.47 63.61 61.68 60.75
4 41.71 40.08 63.66 63.26 62.41 60.54
5 40.77 40.04 62.83 63.36 61.40 60.58
6 34.39 39.97 63.71 63.42 62.18 60.35
7 35.45 40.15 63.89 63.08 59.82 60.45
8 42.61 40.58 61.30 63.23 57.28 60.82
9 42.49 39.95 63.29 63.53 62.17 60.95
10 39.20 40.05 63.36 63.36 57.41 60.64
11 40.60 40.36 63.69 62.86 61.78 60.51
12 31.00 40.12 63.03 63.10 60.66 60.54
13 42.33 40.12 63.66 63.42 58.29 60.67
14 37.93 40.23 63.84 63.48 60.96 60.64
15 42.38 39.63 62.91 63.11 62.78 60.74
16 36.03 39.79 60.72 63.47 58.68 60.38
17 39.49 39.70 63.45 63.00 60.30 60.62
18 44.15 39.78 64.03 62.73 62.70 60.74
19 44.36 40.28 63.39 63.60 62.42 60.77
20 35.12 39.87 63.34 63.60 62.62 60.83
21 43.06 39.95 64.16 63.32 60.85 60.50
22 42.40 40.68 63.08 63.45 61.75 61.11
23 45.18 40.07 63.05 63.53 62.71 60.64
24 44.58 40.02 63.66 63.60 62.65 60.61
25 36.02 40.41 62.75 62.95 61.68 60.48
26 36.10 40.08 63.81 63.26 59.58 60.64
27 42.43 39.70 63.66 63.65 61.06 60.56
28 44.52 40.41 62.65 63.40 60.88 60.70
29 39.42 40.26 63.74 63.56 58.95 60.46
30 39.41 40.04 63.87 63.69 60.96 60.59
Mean 40.14 40.07 63.28 63.36 60.93 60.64
STD 3.51 0.25 0.72 0.24 1.54 0.16
Minimum 31.00 39.63 60.72 62.73 57.28 60.35
Maximum 45.18 40.68 64.16 63.69 62.78 61.11
Original Accuracy 52.57 64.87 62.58
Table 13: Experimental results in terms of the accuracy () over CCP augmented Caltech256 training data and different test sets. Thirty trials are performed using different CNN models, such as VGG19, ResNet18 and DenseNet121.
Trials VGG16 ResNet101 DenseNet121
1 35.02 33.66 53.37 51.87 56.49 55.57
2 34.04 33.68 52.28 51.61 56.63 55.37
3 32.43 33.81 49.19 52.35 53.33 55.11
4 34.78 33.80 52.39 51.65 56.07 55.43
5 35.79 33.50 52.30 51.75 55.91 55.49
6 33.87 33.89 51.95 51.88 55.30 55.72
7 34.08 33.67 52.70 51.38 56.58 55.33
8 32.66 33.88 51.36 52.15 55.58 55.58
9 35.05 33.86 52.40 52.10 56.92 55.86
10 33.96 33.95 51.59 51.59 55.29 55.25
11 33.15 33.90 51.53 51.74 55.91 55.25
12 34.74 33.80 52.28 51.52 55.50 55.41
13 32.26 34.16 50.87 51.76 55.18 55.42
14 35.16 33.78 52.92 51.63 57.21 55.40
15 35.03 33.93 52.33 52.08 55.66 55.47
16 33.66 34.00 50.61 51.88 54.36 55.81
17 33.93 33.88 53.21 51.66 56.37 55.57
18 34.95 34.47 52.49 52.04 55.87 55.73
19 34.27 33.86 53.28 51.83 57.10 55.65
20 32.45 33.86 50.47 51.84 54.50 55.55
21 33.76 33.70 51.86 51.79 55.78 54.98
22 33.60 34.31 51.59 51.53 54.32 55.18
23 34.95 33.49 53.37 52.17 56.99 55.08
24 32.92 33.98 50.36 51.94 54.42 55.34
25 32.57 33.62 50.30 51.99 54.14 55.41
26 35.35 33.79 51.55 52.16 55.73 55.69
27 34.66 33.43 53.15 51.58 56.71 55.60
28 35.99 33.56 52.28 52.20 56.37 55.82
29 33.56 33.44 51.64 51.39 55.31 55.92
30 31.90 33.97 50.34 52.09 53.67 55.61
Mean 34.02 33.82 51.87 51.84 55.64 55.49
STD 1.09 0.23 1.05 0.25 1.02 0.23
Minimum 31.90 33.43 49.19 51.38 53.33 54.98
Maximum 35.99 34.47 53.37 52.35 57.21 55.92
Original Accuracy 43.73 59.65 63.41
Table 14: Experimental results in terms of the accuracy () over CCP augmented TinyImageNet training data and different test sets. Thirty trials are performed using different CNN models, such as VGG16, ResNet101 and DenseNet121.
Trials VGG16 ResNet56 DenseNet121
1 90.47 81.18 88.99 80.35 89.01 74.80
2 90.43 81.36 88.73 81.45 89.11 74.91
3 90.67 81.45 89.34 80.93 89.17 74.99
4 90.56 81.45 89.06 80.99 89.13 75.38
5 90.62 81.27 88.94 79.32 89.07 75.26
6 90.57 81.27 89.14 80.44 89.12 75.01
7 90.58 81.24 89.24 81.31 89.09 74.99
8 90.42 81.37 89.34 80.56 89.06 75.09
9 90.50 81.28 88.73 82.17 89.14 75.26
10 90.68 81.55 89.03 79.88 89.09 75.26
11 90.60 81.36 88.94 80.51 89.22 75.14
12 90.55 81.64 89.34 80.17 89.12 75.04
13 90.56 81.23 89.14 80.32 89.21 75.24
14 90.53 81.55 89.06 80.68 89.23 75.40
15 90.57 81.38 89.14 80.59 88.98 75.31
16 90.55 81.14 89.24 79.23 89.26 74.95
17 90.68 81.30 88.73 80.24 88.95 75.26
18 90.70 81.18 89.03 81.05 89.06 74.98
19 90.57 81.51 88.94 80.95 88.97 74.86
20 90.73 81.24 88.99 80.82 88.86 75.11
21 90.59 81.23 89.14 80.54 89.06 75.17
22 90.51 81.26 89.06 80.05 89.02 75.10
23 90.45 81.64 89.24 80.45 89.07 74.67
24 90.56 81.14 89.06 81.40 89.19 75.22
25 90.46 81.63 89.34 81.13 89.37 75.12
26 90.51 80.92 89.06 80.54 89.13 74.58
27 90.57 81.70 88.94 80.79 89.38 74.96
28 90.61 81.41 88.94 80.02 89.06 75.55
29 90.63 81.44 89.25 81.33 89.25 74.80
30 90.75 81.39 88.99 80.48 89.25 74.98
Mean 90.57 81.36 89.07 80.62 89.12 75.08
STD 0.08 0.18 0.17 0.61 0.12 0.21
Minimum 90.42 80.92 88.73 79.23 88.86 74.58
Maximum 90.75 81.70 89.34 82.17 89.38 75.55
Original Accuracy 91.41 90.15 90.61
Table 15: Experimental results in terms of the accuracy () over CCP augmented CIFAR10 training data over different attacks. Thirty trials are performed using different CNN models, such as VGG16, ResNet56 and DenseNet121.
Trials VGG19 ResNet18 DenseNet121
1 52.33 49.47 66.67 64.66 62.44 60.29
2 52.30 49.53 66.57 64.69 62.50 60.22
3 52.38 49.39 66.60 64.83 62.49 60.64
4 52.33 49.47 66.62 64.35 62.50 60.32
5 52.31 49.66 66.70 64.66 62.49 60.30
6 52.43 49.53 66.62 64.64 62.46 60.37
7 52.30 49.53 66.70 64.80 62.46 60.37
8 52.33 49.45 66.60 64.72 62.44 60.06
9 52.31 49.60 66.60 64.72 62.58 60.29
10 52.33 49.60 66.57 64.74 62.47 60.53
11 52.30 49.58 66.68 64.77 62.41 60.54
12 52.35 49.45 66.60 64.85 62.52 60.29
13 52.36 49.57 66.59 64.43 62.47 60.40
14 52.35 49.57 66.63 64.61 62.52 60.17
15 52.33 49.37 66.67 64.63 62.52 60.50
16 52.31 49.37 66.67 64.72 62.49 60.25
17 52.31 49.53 66.63 64.88 62.46 60.17
18 52.30 49.57 66.65 64.63 62.55 60.35
19 52.27 49.86 66.63 64.82 62.42 60.32
20 52.31 49.58 66.76 64.90 62.57 60.40
21 52.33 49.52 66.71 64.42 62.47 60.22
22 52.31 49.63 66.73 64.79 62.49 60.32
23 52.36 49.61 66.63 64.61 62.49 60.38
24 52.36 49.29 66.60 64.82 62.50 60.38
25 52.33 49.53 66.59 64.61 62.52 60.62
26 52.35 49.71 66.67 64.64 62.49 60.62
27 52.30 49.61 66.63 64.72 62.42 60.24
28 52.38 49.66 66.59 64.87 62.52 60.45
29 52.33 49.58 66.75 64.61 62.55 60.27
30 52.33 49.57 66.59 64.67 62.44 60.40
Mean 52.33 49.55 66.64 64.69 62.49 60.36
STD 0.03 0.11 0.05 0.13 0.04 0.14
Minimum 52.27 49.29 66.57 64.35 62.41 60.06
Maximum 52.43 49.86 66.76 64.90 62.58 60.64
Original Accuracy 52.57 66.73 62.58
Table 16: Experimental results in terms of the accuracy () over CCP augmented CALTECH256 training data over different attacks. Thirty trials are performed using different CNN models, such as VGG19, ResNet18 and DenseNet121.
Trials VGG16 ResNet101 DenseNet121
1 43.63 41.01 59.72 56.83 63.05 60.63
2 43.61 40.70 59.62 56.89 63.12 60.67
3 43.54 40.82 59.47 57.02 63.25 60.60
4 43.66 40.50 59.61 57.12 63.11 60.59
5 43.40 40.81 59.46 56.92 63.00 60.37
6 43.67 41.07 59.47 57.02 63.22 60.56
7 43.58 40.91 59.63 56.95 62.96 60.53
8 43.57 40.87 59.43 57.15 63.11 60.29
9 43.57 41.02 59.62 56.68 62.97 60.46
10 43.56 40.80 59.67 56.69 63.24 60.56
11 43.63 41.10 59.43 57.00 63.12 60.89
12 43.72 40.95 59.55 56.95 63.09 60.71
13 43.49 40.82 59.69 56.81 63.09 60.19
14 43.45 40.80 59.57 56.73 63.26 60.42
15 43.56 40.93 59.70 56.70 63.25 60.61
16 43.58 40.94 59.62 56.79 63.03 60.57
17 43.56 40.88 59.39 56.72 63.10 60.72
18 43.54 41.00 59.66 56.86 63.13 60.07
19 43.54 40.95 59.71 56.94 63.20 60.19
20 43.38 40.86 59.53 57.09 63.28 60.61
21 43.62 40.92 59.58 57.01 63.15 60.46
22 43.35 40.94 59.62 56.77 63.17 60.71
23 43.66 40.54 59.60 56.33 63.01 60.33
24 43.55 40.67 59.62 56.78 63.27 60.68
25 43.44 40.97 59.54 57.03 63.41 60.60
26 43.52 40.97 59.63 56.77 63.23 60.80
27 43.54 40.74 59.63 57.25 63.16 60.53
28 43.72 40.68 59.48 57.02 63.03 60.60
29 43.57 40.98 59.66 56.60 63.02 60.42
30 43.51 40.80 59.72 57.09 63.21 60.58
Mean 43.55 40.87 59.59 56.88 63.14 60.53
STD 0.09 0.14 0.09 0.19 0.11 0.18
Minimum 43.35 40.50 59.39 56.33 62.96 60.07
Maximum 43.72 41.10 59.72 57.25 63.41 60.89
Original Accuracy 43.73 59.65 63.41
Table 17: Experimental results in terms of the accuracy () over CCP augmented TinyImagenet training data over different attacks. Thirty trials are performed using different CNN models, such as VGG16, ResNet101 and DenseNet121.
Accuracy over CIFAR10 Dataset
Type of Attack VGG16 ResNet56 DenseNet121
Without Attack ( ) ( ) ( )
One Pixel Attack ( ) ( ) ( )
Adversarial Attack ( ) ( ) ( )
CCP Attack () ( ) ( ) ( )
CCP Attack () ( ) ( ) ( )
Accuracy over Caltech256 Dataset
Type of Attack VGG19 ResNet18 DenseNet121
Without Attack ( ) ( ) ( )
One Pixel Attack ( ) ( ) ( )
Adversarial Attack ( ) ( ) ( )
CCP Attack () ( ) ( ) ( )
CCP Attack () ( ) ( ) ( )
Accuracy over TinyImageNet Dataset
Type of Attack VGG16 ResNet101 DenseNet121
Without Attack ( ) ( ) ( )
One Pixel Attack ( ) ( ) ( )
Adversarial Attack ( ) ( ) ( )
CCP Attack (