On Procedural Adversarial Noise Attack And Defense

08/10/2021 ∙ by Jun Yan, et al. ∙ 1

Deep Neural Networks (DNNs) are vulnerable to adversarial examples which would inveigle neural networks to make prediction errors with small perturbations on the input images. Researchers have been devoted to promoting the research on the universal adversarial perturbations (UAPs) which are gradient-free and have little prior knowledge on data distributions. Procedural adversarial noise attack is a data-free universal perturbation generation method. In this paper, we propose two universal adversarial perturbation (UAP) generation methods based on procedural noise functions: Simplex noise and Worley noise. In our framework, the shading which disturbs visual classification is generated with rendering technology. Without changing the semantic representations, the adversarial examples generated via our methods show superior performance on the attack.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 5

page 7

page 16

page 17

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

The last decade is an era of deep learning’s renaissance. In the field of computer vision, Convolutional Neural Networks (CNNs) 

(Krizhevsky et al., 2012; Lin et al., 2014; Simonyan and Zisserman, 2015; Szegedy et al., 2015; Ioffe and Szegedy, 2015; Szegedy et al., 2016, 2017; He et al., 2016; Hu et al., 2018)

have been widely used in real applications related to visual perception and cognition. Using automated machine learning (AutoML) to replace craft neural network design is also a popular trend. Zoph and Le 

(Zoph and Le, 2017)

proposed a neural architecture search method based on reinforcement learning which outperforms most of the CNN models on the metrics of the prediction accuracy.

However, deep learning cannot guarantee security. Despite the high accuracy of the clean testing dataset, most CNN models are vulnerable to adversarial examples. White-box attacks (Goodfellow et al., 2015; Kurakin et al., 2017; Madry et al., 2018; Papernot et al., 2016; Moosavi-Dezfooli et al., 2016; Carlini and Wagner, 2017; Athalye et al., 2018b, a) are gradient-based to update adversarial perturbations with the exploration of the model structures during the optimization process. Other black-box attacks (Li et al., 2019; Ilyas et al., 2018; Uesato et al., 2018; Brendel et al., 2018; Guo et al., 2019; Moon et al., 2019) are built on lots of queries of input information and output information of models, which is time-consuming. To make the attack convenient in the deployment, researchers are devoted to finding image-agnostic adversarial perturbations. Universal adversarial perturbations (UAP) introduced in the previous work (Moosavi-Dezfooli et al., 2017) can fool state-of-the-art image classification models with high possibilities and small perturbations. The proposed UAP methods are quasi-imperceptible and do not require solving an optimization problem. The universal perturbations can transfer between different images and different models. Afterward, a lot of papers (Hayes and Danezis, 2018; Mopuri et al., 2018, 2017, 2019) are published.

Generating universal adversarial examples based on the procedural noise functions can be a research direction. These procedural noise functions are commonly used in computer graphics and designed to be parametrizable, customizable, and aesthetic (Lagae et al., 2010). Adding textures and patterns in the pictures does not modify the visual semantic representations. The perturbation patterns generated by procedural noise functions have similar structures with the existing universal adversarial perturbations (Moosavi-Dezfooli et al., 2017; Khrulkov and Oseledets, 2018)

. Generally speaking, the human perception system would be disturbed by the shadings. The sensibility is similar on the neural networks that the deep visual classifiers would be fooled by the procedural adversarial noises with the shadings. Therefore, adversarial learning on such procedural noises can improve the visual classifier’s robustness under the untergeted attack. The perception systems of autonomous vehicles need a performance guarantee when faced with the abnormal scenarios of sensors. The visual content audit system of Internet enterprises should inference correctly in the case of malicious image tampering. Therefore, robustness under the procedural adversarial noise is an explorable research direction. A viewpoint was put forward 

(Carlini et al., 2019) that defending random perturbations based on Gaussian noise is a basic requirement. Rayleigh noise, Gamma noise, and Salt-And-Pepper noise are also commonly used noise function models. In previous work (Co et al., 2019b, a), two adversarial attacks based on procedural noise functions are proposed with the state-of-the-art effect. Nevertheless, many proposed noise attack methods do not have a superior performance which needs further improvement. Currently, Perlin noise attack (Co et al., 2019a) is a state-of-the-art procedural adversarial noise attack. However, Perlin noise has several shortcomings: visually significant anisotropy, gradient artifacts, and higher computation cost. The drawbacks of the rendering technology existed in Perlin noise may hinder the adversarial attack performance in computer vision. Therefore, it gives us an inspiration to promote the research on the procedural adversarial noise attack. Moreover, before our work, there is almost no discussion on the defense technologies under the procedural adversarial noise attacks.

In this paper, we propose two universal adversarial perturbation attack methods based on noise functions: Simplex noise attack and Worley noise attack. We empirically demonstrate that the neural networks are fragile to the procedural noises that act as the universal adversarial perturbations (UAPs). In the attack experiment, our methods show superior performance compared with the state-of-the-art noise attack methods, black-box attack methods, and UAP methods. In the defense experiment, we evaluate the denoising methods and the defense methods provided by the RealSafe (Dong et al., 2020) benchmark.

Our contributions in this paper are listed as follows:

  • We propose two procedural adversarial noise perturbation attack methods: Simplex noise perturbations and Worley noise perturbations. Such -norm attacks surpass state-of-the-art invasion effect on the ImageNet dataset (Russakovsky et al., 2015) and CIFAR-10 dataset (Krizhevsky and Hinton, 2009).

  • An empirical and comparative study with other transfer-based black-box attack methods, query-based black-box attack methods, and other universal adversarial perturbation (UAP) methods is made to certify the cross-model attack performance of our procedural adversarial noises.

  • To our best knowledge, we are one of the earliest groups to discuss the defense on the procedural adversarial noise attacks and analyze the associated robustness with the evaluation benchmark.

This paper is organized as follows. The related works are introduced in Section II. In Section III, our proposed approach is illustrated. Metrics and experiment results comparison are presented in Section VI. Finally, the conclusion is presented in Section V.

2 Related Work

2.1 Black-Box Adversarial Attack, Universal Adversarial Perturbations, and Procedural Adversarial Noise

Compared with the white-box adversarial attacks which need prior knowledge of model structures and data distributions, researchers are devoted to the proposal of black-box attack methods. Some black-box adversarial attacks are achieved via the transfer of the white-box attacks (Madry et al., 2018; Kurakin et al., 2017; Dong et al., 2018). However, the cross-architecture performance cannot be guaranteed. Other black-box adversarial attack methods depending on the query of input/output (I/O) are score-based (Li et al., 2019; Ilyas et al., 2018; Uesato et al., 2018; Guo et al., 2019) or decision-based (Brendel et al., 2018; Moon et al., 2019). Nevertheless, they have large time complexities for query while there is still no guarantee for the cross-structure performance.

The universal adversarial perturbations (UAPs) proposed by Dezfooli et al. (Moosavi-Dezfooli et al., 2017) are quasi-imperceptible to the human eyes so that the deep neural network can be deceived. Normally, UAPs (Moosavi-Dezfooli et al., 2017) have geometric correlations between different parts of the decision boundary of the classifier. The vanilla UAP methods and the universal perturbation generation methods based on generative models (Hayes and Danezis, 2018; Mopuri et al., 2018) are data-driven which limits their further usages. The proposal for data-independent adversarial perturbations is a research focal point. Mopuri et al. (Mopuri et al., 2017) proposed a data-independent approach to compute universal adversarial perturbations with an efficient and generic objective to construct image-agnostic perturbations to fool CNNs. They also found that misfiring the features in the hidden layers can lead to eventual misclassifications. Mopuri et al. (Mopuri et al., 2019) proposed a data-independent perturbation generation method that exploits minimal prior information about the training data distribution and extended such technologies to the task of object detection and semantic segmentation.

Using procedural adversarial noise as data-independent perturbations can be a research direction. The procedural adversarial noise attacks proposed in previous work (Co et al., 2019b, a) are inspired by the theoretical research of UAP (Khrulkov and Oseledets, 2018)

. Gabor noise is the convolution of a sparse white noise and a Gabor kernel, making it a type of Sparse Convolution Noise 

(Lagae et al., 2009, 2010). Perlin adversarial noise attack (Co et al., 2019a) is proposed to generate universal adversarial perturbations based on the lattice gradient noise invented in the computer graphics researches (Perlin, 1985, 2002). However, there exist drawbacks in the rendering technologies of Perlin noise which may hinder the adversarial attack performance in computer vision. Therefore, it is necessary to promote further research on procedural adversarial noises. Olano et al. (Olano et al., 2002) proposed the Simplex noise function while Worley (Worley, 1996)

proposed the Worley noise to realize the graphics rendering function. The pioneering researches in the field of computer graphics inspire us to promote exploration in the field of universal adversarial perturbation related to the study of pattern recognition.

2.2 Defense

There are diverse views about the robustness of deep learning. Some researchers are pessimistic that the problems of adversarial examples are inevitable for the distributions with complex image classes in high-dimensional spaces (Simon-Gabriel et al., 2018; Shafahi et al., 2019; Gilmer et al., 2018). Therefore, there is little point in defense under the adversarial perturbations. Dezfooli et al. (Moosavi-Dezfooli et al., 2018) showed that the flatness property of the neural network’s decision boundary can lead to the existence of small perturbations. This work is a theoretical basis of universal adversarial perturbations.

The optimistic view is held in other researches. Besides some theoretical analyses (Fawzi et al., 2018; Suggala et al., 2019), many defense methods are also proposed to improve the robustness and evaluated in a benchmark (Dong et al., 2020). The state-of-the-art defense methods are adversarial training (Madry et al., 2018; Zhang et al., 2019; Tramèr et al., 2018) whose “gradient penalty” mechanism boosts the performance of robustness of neural networks under the adversarial attacks. Ross et al. (Ross and Doshi-Velez, 2018) analyzed “gradient penalty” phenomenon from a theoretical perspective.

In our point of view, the research about the Frequency Principle (F-Principle) of deep learning gives the interpretations on the robustness of neural networks. Xu et al. (Xu et al., 2019) held the opinion that the neural networks are inclined to fit the low-frequency elements which is corresponding with the generalization ability of the models. Rahaman et al. (Rahaman et al., 2018)

analyzed the Rectified Linear Unit (ReLU) activation function’s dense and smooth property with Stokes Theorem in the topology and concluded that the spectral attenuation of the ReLU function has a strong anisotropy in the high-dimensional space while the upper bound of the ReLU function’s Fourier transform amplitude are within the Lipschitz constraint. A different viewpoint was proposed by Weinan E et al. 

(E et al., 2019) that high-frequency elements are also important with the mathematical analysis. Making neural networks robust means not giving up the high-frequency elements immediately. Similar conclusions (Yin et al., 2019; Wang et al., 2020) were reached that adversarial training is related to some high-frequency elements and generalization ability is related to the low-frequency elements.

In this paper, we would make an empirical study on the defense technologies related to F-Principle and defense technologies provided in the released RealSafe (Dong et al., 2020) benchmark to evaluate the robustness under the procedural adversarial noise attacks.

3 Approach

In this section, we propose our procedural adversarial noise attack methods.

3.1 Data-independent Perturbations For Fooling

Figure 1: Difference between white-box attack, black-box attack with query, and black-box attack without query. Our proposed procedural adversarial noise attack method requires no query of model input/out information.

The basic problem our paper discusses is mainly defined under the theoretical frameworks of UAPs (Moosavi-Dezfooli et al., 2017). It aims to craft an image-agnostic perturbation with the procedural noise function to fool the classification of the CNN on data distribution . The attack should be satisfied with Eq. (1) when attacking the sample image :

(1)

The pixel intensities of are constrained, noise attack can be regarded as -norm attack.

(2)

In our paper, the attack defined in the form of Eq. (2) is black-box and data-independent. As illustrated in Fig. 1, our proposed method is gradient-free and requires no prior knowledge of the model structures and data distributions. In contrast, the white-box attack methods are gradient-based while the popular, non-restricted black-box attack methods have the access to input and output information.

3.2 Simplex Noise Attack

Figure 2: Demo of procedural adversarial attack in Simplex noise function on ImageNet dataset. Fig. (a) illustrates a Simplex noise attack in 2D dimensions, perturbations generated at the iteration step of every 40 pixels with perturbation budget . Fig. (b) illustrates a Simplex noise attack in 3D dimensions, perturbations generated at the iteration step of every 40 pixels with perturbation budget . Fig. (c) illustrates a Simplex noise attack in 4D dimensions, perturbations generated at the iteration step of every 40 pixels with perturbation budget .

Simplex noise (Olano et al., 2002) can be seen as a variant of Perlin noise whose procedural shading can be better applied to the real-time hardware platforms. Firstly, it has lower computation complexity with fewer multiplications compared to Perlin noise and can be better adapted to the higher dimension. Secondly, it has a well-defined and continuous gradient (for almost everywhere) that can be computed quite cheaply. Last but not least, Simplex noise has no noticeable directional artifacts (is visually isotropic) compared to Perlin noise.

The Simplex noise generation procedure would do coordinate skewing according to Eq. (

3) to realize input coordinate transform, where is the dimension number, is the intermediate variable of the operation. The vertex arrangement of a hypercubic honeycomb should be squashed along its main diagonal until the distance between the points and is equal to the distance between the points and . The variables , denote the horizontal coordinate while the variable , denote the vertical coordinate. The is the coordinate before skew while the is the coordinate after skew.

(3)

Compared to original Perlin noise using a cubic interpolation grid, Simplex noise uses a grid based on the simplicial subdivision. Then, the simplex vertex is added back to the skewed hypercube’s base coordinate and hashed into a pseudo-random gradient direction. It differs from different dimensions 

(Gustavson, 2005). For 2D, 8 or 16 gradients distributed around the unit circle is a good choice. For 3D, the recommended set of gradients is the midpoints of each of the 12 edges of a cube centered on the origin. For 4D, the set of the gradients is formed from the midpoints of each of the 32 edges in a 4D hypercube. After the operation of gradient selection (step 6 of Algorithm 1), the simplex noise function does kernel summation to get the restored coordinate of each of the vertices according to Eq. (4), where is the dimension number, is the intermediate variable of the operation. The Eq. (4) realizes the calculation of the position without skew in the normal simplicial coordinate system. The is the coordinate without skew while the is the coordinate with skew:

(4)

This unskewed displacement vector is used to compute the extrapolated gradient value using a dot product and calculate the squared distance to the point

. Eq. (5) determines each vertex’s summed kernel contribution where the variable is usually set to either 0.5 or 0.6 in previous work (Olano et al., 2002) and the gradient information has been obtained.

(5)

The Simplex noise algorithm is described in Algorithm 1. The adversarial perturbations generated by Algorithm 1 is universal which do not depend on models and images. An implementation typically involves four steps: coordinate skewing, simplicial subdivision, gradient selection, and kernel summation. The images with the Simplex-noise perturbations can fool the neural networks.

Input: The image height , image width , iteration step
             Output:The noise perturbation matrix

1:Initialize noise matrix
2:for  to  do
3:     for  to  do
4:         Do the operation of skewing according to Eq. (3) on the coordinate of ;
5:         Sort the values of internal coordinates in decreasing order to determine which skewed orthoscheme simplex the point lies in;
6:         Add back to the skewed hypercube’s base coordinate to hash into a pseudo-random gradient direction;
7:         Do the operation of unskewing according to Eq. (4);
8:         Get the kernel summation value based on Eq. (5);
9:               
10:return
Algorithm 1 SIMPLEX

Fig. 2 illustrates some qualitative results of the adversarial attack based on the Simplex noise function. The perturbation budget of -norm attack is set to at the iteration step of 40 to generate 2D, 3D, and 4D Simplex noise. As we can see from Fig. 2, the adversarial attack based on the perturbations generated by Simplex noise can fool the prediction of neural network or at least realize the effect of disturbance on prediction.

3.3 Worley Noise Attack

Figure 3: Demo of procedural adversarial attack in Worley noise function on ImageNet dataset. Fig. (a) illustrates Worley noise attack with 50 points perturbed on the . Fig. (b) illustrates Worley noise attack with 100 points perturbed on the .

Worley noise (Worley, 1996) is generated on the cellular texture in which certain points in 3D space are randomly selected. According to the “nearest neighbor” principles, returned functions are mapped to colors or texture coordinates. In the field of computer graphics, this noise function provides solid texturing to the rendered objects.

Worley noise function defines 3D space partitioned into cubes with faces at integers, in the RGB image scenario, . A point of an index with the real coordinate is selected to generate several feature points inside the cube. Steps will be repeated until required perturbed point numbers have been iterated and added into the set. According to Eucidean distance defined in Eq. (6), cube feature points are selected, calculated, sorted, and checked on the principle of ”nearest neighbors”.

(6)

Implementation is elucidate by such procedure defined in Algorithm 2. The adversarial perturbations generated by Algorithm 2 is universal which do not depend on models and images.

Input: The image height , image width , perturbed point numbers
             Output: The noise perturbation matrix

1:Initialize the image grid matrix according to image width and image height
2:Select points of different coordinates randomly in the images with image height , image width with the set
3:for  to  do
4:     for  to  do
5:         Map cube feature points via getting normalized distance from ”nearest neighbors” according to Eucidean distance in Eq. (6) and get value
6:               
7:for  do
8:     
9:Split with 4 channels and concatenating with 3 channels in RGB format to generate the matrix
10:return
Algorithm 2 WORLEY

Fig. 3 illustrates some qualitative results of the adversarial attack based on the Worley noise function. The perturbation budget of -norm attack is set to , 50 or 100 points will be randomly clustered. As we can see from Fig. 3

, the ground truth label is “speedboat” while the prediction label on the adversarial attack is “seashore” (50 perturbed points) or “torch” (100 perturbed points. Its performance on fooling neural networks is not worse or even better than Simplex noise and other procedural adversarial noises.

4 Experiment

In this section, the experiments on procedural adversarial noise attack and defense would be illustrated. Our attack experiment and defense experiment with the denoising methods is implemented under the Keras framework, while the defense methods described in RealSafe 

(Dong et al., 2020)

have their corresponding pre-trained models under the framework of vanilla Tensorflow and PyTorch. On ImageNet 

(Russakovsky et al., 2015), due to the computation limit, we use pre-trained models and only test them on the validation dataset with 50,000 samples. On CIFAR-10 (Krizhevsky and Hinton, 2009), there are 50,000 training images and 10,000 test images, we implement the training procedure and test on the dataset in the experiment of adversarial attack and denoising defense.

4.1 Metrics

Evasion rate

of a perturbation over the dataset can measure the perturbations and we select it as the evaluation metrics for attack. Given model output

, input with perturbations , and small , the universal evasion of over is defined in Eq. (7):

(7)

where is the true class label of . An -norm constraint on ensures that the perturbations are small and do not drastically change the semantic understanding and representation of the images. When “evasion rate” is used as a metric for UAP, it can also be called “universal evasion rate”. This metric is a derivation of previous work (Co et al., 2019a).

In the defense scenario, we just redefine the robust accuracy in Eq. (8):

(8)

4.2 Comparison Experiment of Adversarial Noise Attack

Figure 4: Experiment of procedural adversarial noise attack on ImageNet dataset. Fig. (a) illustrates the experiment of procedural adversarial noise attack on InceptionV3 (Szegedy et al., 2016). Fig. (b) illustrates the experiment of procedural adversarial noise attack on VGG19 (Simonyan and Zisserman, 2015). Fig. (c) illustrates the experiment of procedural adversarial noise attack on ResNet50 (He et al., 2016). Fig. (d) illustrates the experiment of procedural adversarial noise attack on NAS (Zoph and Le, 2017).
Figure 5: Experiment of procedural adversarial noise attack on the CIFAR-10 dataset. Fig. (a) illustrates the experiment of procedural adversarial noise attack on NIN (Lin et al., 2014). Fig. (b) illustrates the experiment of procedural adversarial noise attack on VGG19 (Simonyan and Zisserman, 2015). Fig. (c) illustrates the experiment of procedural adversarial noise attack on ResNet50 (He et al., 2016). Fig. (d) illustrates the experiment of procedural adversarial noise attack on SENet (Hu et al., 2018).

We do the procedural adversarial noise attack experiment on ImageNet with four models: InceptionV3 (Szegedy et al., 2016), VGG19 (Simonyan and Zisserman, 2015), ResNet50 (He et al., 2016), and neural architecture search model (NAS) (Zoph and Le, 2017). They correspond to different convolutional neural networks: network-in-network structure, direct-connected structure, residual structure, and NAS model. Therefore, the cross-model attack performance of the procedural adversarial noises can be evaluated. All these models are pre-trained models inside Keras. We only check the top-1 prediction result.

Noise types on ImageNet are listed below. The perturbations budgets of -norm attack are set to for different norm attacks while means natural testing without adversarial attack:

  • Gaussian noise (line mark is “Gaussian”)

    : It is generated with the normal distribution whose mean value is 10 while the standard value is 50.

  • Salt-And-Pepper noise (line mark is “SP”)

    : It is generated with Salt-And-Pepper noise on the probability of 0.1

  • Gabor noise (Co et al., 2019b) (line mark is “Gabor”): It is generated with Gabor kernels whose kernel size is 23, its kernel variable , kernel orientation variable , and bandwidth are .

  • Perlin noise (Co et al., 2019a) (line mark is “Perlin”): The number of octaves is , while period is 60, and frequency for function is 36.

  • Simplex noise generated in 2D dimensions (line mark is “Simplex2D”): It is iterated with the step of 40 to generate lattice gradient perturbations on 2D dimensions to produce Simplex noise.

  • Simplex noise generated in 3D dimensions (line mark is “Simplex3D”): It is iterated with the step of 40 to generate lattice gradient perturbations on 3D dimensions to produce Simplex noise.

  • Simplex noise generate in 4D dimensions (line mark is “Simplex4D”): It is iterated with the step of 40 to generate lattice gradient perturbations on 4D dimensions to produce Simplex noise.

  • Worley noise impacted on 50 points (line mark is “Worley_50points”): It randomly clusters 50 points to generate Worley noise.

  • Worley noise impacted on 100 points (line mark is “Worley_100points”): It randomly clusters 100 points to generate Worley noise.

The experiment result is illustrated in Fig. 4. When the perturbation budget of -norm attack is 0.0465, the evasion rates for our proposed methods on Inception-V3 are 0.4935 (Simplex2D), 0.4895 (Simplex3D), 0.5065 (Simplex4D), 0.5929 (Worley_50points), and 0.6336 (Worley_100points). On VGG-19 with the same perturbation budget setting (), the evasion rates are 0.5846 (Simplex2D), 0.5940 (Simplex3D), 0.6124 (Simplex4D), 0.6334 (Worley_50points), and 0.6206 (Worley_100points). On ResNet-50 (), the result is 0.5414 (Simplex2D), 0.5352 (Simplex3D), 0.5427 (Simplex4D), 0.6102 (Worley_50points), and 0.6155 (Worley_100points). The NAS model has a best robustness performance under the -norm noise attack with the perturbation budget : 0.3505 (Simplex2D), 0.3505 (Simplex3D), 0.3617 (Simplex4D), 0.3957 (Worley_50points), and 0.4181 (Worley_100points).

On CIFAR-10, Network-in-network model (NIN) (Lin et al., 2014), VGG19 (Simonyan and Zisserman, 2015), ResNet50 (He et al., 2016), and SENet (Hu et al., 2018)

are trained by ourselves. These four models correspond to network-in-network structure, direct-connected structure, residual structure, and attention model. All the noise attack procedural design is similar to the experiment on ImageNet, except that the Simplex noise will be generated with iteration step 4. Also, the perturbations budgets

of -norm attack are set to for different norm attacks while means natural testing without adversarial attack. The experiment result is illustrated in Fig. 5. When the perturbation budget of -norm attack is 0.0465, the evasion rates for our proposed methods on NIN are 0.3456 (Simplex2D), 0.3486 (Simplex3D), 0.3738 (Simplex4D), 0.3242 (Worley_50points), and 0.3528 (Worley_100points). On VGG-19 with the same perturbation budget setting (), the evasion rates are 0.3456 (Simplex2D), 0.3486 (Simplex3D), 0.3738 (Simplex4D), 0.2859 (Worley_50points), and 0.3135 (Worley_100points). On ResNet-50 (), the result is 0.3564 (Simplex2D), 0.3528 (Simplex3D), 0.3900 (Simplex4D), 0.3401 (Worley_50points), and 0.3698 (Worley_100points). The SE-Net with the attention mechanism has a best robustness performance under the -norm noise attack with the perturbation budget : 0.1987 (Simplex2D), 0.2044 (Simplex3D), 0.2190 (Simplex4D), 0.1717 (Worley_50points), and 0.2016 (Worley_100points).

We can obtain some meaningful summaries of the attack experiment:

1) Our proposed procedural adversarial attack methods surpass state-of-the-art methods. Worley noise’s evasion rate exceeds Simplex noise’s evasion rate a little in the same condition on ImageNet, however, Simplex noise demonstrates a superior attack performance on CIFAR-10.

2) On ImageNet, as Fig. 4 demonstrates, NAS (Zoph and Le, 2017) is least sensitive to all types of adversarial attacks which testifies the value of research on neural architecture search and automated machine learning (AutoML). This can be verified in our experiment result.

3) On CIFAR-10, as Fig. 5 shows, SENet (Hu et al., 2018) with channel attention is least sensitive to all the black-box noise attack. As we can see from the experiment result, the evasion rates on SENet do not surpass 25%. It perhaps accords with some guess that the attention mechanism is beneficial to robustness.

4.3 Comparison Experiment of Black-Box Adversarial Attack

Figure 6: Black-box adversarial attacks on VGG19 (Simonyan and Zisserman, 2015) with query limitation on ImageNet.

In this subsection, we compare our methods with the query-based black-box attack methods (Guo et al., 2019; Moon et al., 2019) in the query-limitation settings and transfer-based black-box attack methods (Madry et al., 2018; Kurakin et al., 2017; Dong et al., 2018) to show the superior performance of our proposed restricted black-box attack methods.

On ImageNet, VGG19 (Simonyan and Zisserman, 2015) is the model to be attacked. Five listed methods are compared in the query-limited settings.

  • Simplex noise generate in 4D dimensions (line mark is ”Simplex4D”): It is iterated with the step of 40 to generate lattice gradient perturbations on 4D dimensions to produce Simplex noise.

  • Worley noise impacted on 100 points (line mark is ”Worley_100points”): It randomly clusters 100 points to generate Worley noise.

  • Simple pixel attack (line mark is ”PixelAttack”) (Guo et al., 2019): The black-box attack is launched in the pixel level, while the query number is limited to 1000.

  • Simple low frequency attack (line mark is ”LowFreqAttack”) (Guo et al., 2019)

    : The attack can be implemented in the frequency domain with DCT transform, while the query number is limited to 1000.

  • Parsimonious black-box attack via combinatorial optimization method (line mark is ”ParsimoniousAttack”) (Moon et al., 2019)

    : This black-box attack is realized by an efficient discrete surrogate to the combinatorial optimization problems, while the query number is limited to 500.

As Fig. 6 illustrates, our proposed Simplex noise attack method (”Simplex4D”) and Worley noise attack method (”Worley_100points”) outperform other state-of-the-art methods on the metrics of evasion rate if the query numbers of query-based black-box attack methods are limited to the specific scope.

In the transfer-setting experiment, we select 10000 samples from the ImageNet validation dataset. We generate the white-box adversarial examples via the method of PGD (Madry et al., 2018), BIM (Kurakin et al., 2017), MIM (Dong et al., 2018) on InceptionV3 (Szegedy et al., 2016) and attack the VGG19 model (Simonyan and Zisserman, 2015). Due to the limitations of the computation power, we only test the scenario when perturbation budget of -norm attack . TABLE 1 illustrates the result that our proposed Simplex noise attack method (”Simplex4D”) and Worley attack method (”Worley_100points”) outperform the there compared methods regardless their high attack success rate (around 0.9) of InceptionV3 model (Szegedy et al., 2016). Simplex noise and Worley noise can be attributed to the universal adversarial perturbation that the attack can be transferred without the huge performance degradations between different model structures. However, the transfer-based adversarial attack methods based on the white-box attacks are affected by the performance decay.

Attack methods Evasion rate
PGD 0.2916
BIM 0.3943
MIM 0.3998
Simplex4D (our method) 0.6124
Worley_100points (our method) 0.6206
Table 1: COMPARISON OF BLACK-BOX ADVERSARIAL ATTACK IN THE TRANSFER SETTINGS ON IMAGENET.
Figure 7: Black-box adversarial attacks on VGG19 (Simonyan and Zisserman, 2015) with query limitation on CIFAR-10.
Figure 8: Black-box adversarial attacks on VGG19 (Simonyan and Zisserman, 2015) in transfer-settings.

On CIFAR-10, we compare our proposed methods with the the state-of-the-art black-box attack methods (Guo et al., 2019; Moon et al., 2019) in the query-limitation setting. The perturbation budget of -norm attack are set to . The testing methods include:

  • Simplex noise generate in 4D dimensions (line mark is ”Simplex4D”, out method): It is iterated with the step of 4 to generate lattice gradient perturbations on 4D dimensions to produce Simplex noise.

  • Worley noise impacted on 100 points (line mark is ”Worley_100points”, our method): It is randomly clustered with 100 points to generate Worley noise.

  • Simple pixel attack (line mark is ”PixelAttack1” and ”PixelAttack2”) (Guo et al., 2019): The black-box attack is launched in the pixel level, the ”PixelAttack1” method is with query-times of 100 while the ”PixelAttack2” method is with the query-times of 500.

  • Simple low-frequency attack (line mark is ”LowFreqAttack1” and ”LowFreqAttack2”) (Guo et al., 2019): The attack can be implemented in the frequency domain with DCT transform, the ”LowFreqAttack1” method is with the query-times of 100 while the ”LowFreqAttack2” method is with the query-time of 500.

  • Parsimonious black-box attack via combinatorial optimization method (line mark is ”ParsimoniousAttack1” and ”ParsimoniousAttack2”) (Moon et al., 2019): This black-box attack is realized by an efficient discrete surrogate to the combinatorial optimization problems, the ”ParsimoniousAttack1” method is with the query-times of 100 while the ”ParsimoniousAttack2” method is with the query-times of 200.

As Fig. 7 illustrates, our proposed Simplex noise attack method (”Simplex4D”) and Worley noise attack method (”Worley_100points”) demonstrate superior performance when perturbation budget is not small ().

In the transfer-setting experiment on CIFAR-10, we compare three black-box attack methods with the transfer from white-box adversarial examples: PGD (Madry et al., 2018), BIM (Kurakin et al., 2017), and MIM (Dong et al., 2018). The adversarial examples are generated on the ResNet56 (He et al., 2016) with the attack training convergence, then the adversarial examples would be transferred to attack the VGG-19 (Simonyan and Zisserman, 2015). We find that the adversarial examples with 90 % to 100 % attack success rate on ResNet56 show inferior performance when attacking VGG19. The result is illustrated in Fig. 8, which gives an empirical result that our proposed attack methods do not depend on model knowledge.

In summary, our proposed method surpasses the state-of-the-art methods on the metrics of evasion rate in the query-limitation setting and transfer setting.

4.4 Comparison Experiment of Universal Adversarial Perturbations

In this subsection, the metrics of evasion rate between our proposed methods and state-of-the-art universal perturbation generation methods (Moosavi-Dezfooli et al., 2017; Hayes and Danezis, 2018; Mopuri et al., 2018, 2017, 2019) are compared. On ImageNet, five different methods are compared on VGG-19 (Simonyan and Zisserman, 2015) when perturbation budget of -norm attack is set to :

  • Simplex noise generate in 4D dimensions: The setting is the same as the procedural adversarial noise attack experiment.

  • Worley noise impacted on 100 points: The setting is the same as the procedural adversarial noise attack experiment.

  • Universal Adversarial Perturbation (UAP) (Moosavi-Dezfooli et al., 2017): It is a vanilla universal adversarial generation method, which is data-driven.

  • Fast Feature Fool (FFF) (Mopuri et al., 2017): It is a data-independent perturbation generation method with less calculation time, here would the adversarial examples generated on VGG16, VGG19, VGGF (Simonyan and Zisserman, 2015) and InceptionV1 (Szegedy et al., 2015).

  • Generalizable data-independent Universal Adversarial Perturbation (GD-UAP) (Mopuri et al., 2019): This method can be tested in three different settings: with full data, with range prior, and no data. The adversarial examples are generated on VGG-series models, InceptionV1, and ResNet152 (He et al., 2016).

As illustrated in TABLE 2, in specific settings, our data-independent universal perturbation generation methods with procedural adversarial noise functions surpass both the data-driven and data-independent UAP generation methods (Moosavi-Dezfooli et al., 2017; Mopuri et al., 2017, 2019).

Attack methods UAP-generation model Data setting Evasion rate
UAP InceptionV1 With full data 0.3992
FFF-1 VGG-19 No data 0.5098
FFF-2 VGG-16 No data 0.5133
FFF-3 VGGF No data 0.4971
FFF-4 InceptionV1 No data 0.5049
GD-UAP VGG-19 No data 0.5225
GD-UAP VGG-16 No data 0.5134
GD-UAP VGGF No data 0.5432
GD-UAP InceptionV1 No data 0.4326
GD-UAP InceptionV1 With full data 0.5225
GD-UAP InceptionV1 With range prior 0.5134
GD-UAP ResNet152 No data 0.4093
GD-UAP ResNet152 With full data 0.4955
GD-UAP ResNet152 With range prior 0.4387
Simplex4D (our method) - No data 0.5516
Worley_100points (our method) - No data 0.5598
Table 2: COMPARISON OF UNIVERSAL ADVERSARIAL PERTURBATION METHODS ON VGG-19.

On CIFAR-10, these listed methods are tested. It is worth mentioning that most proposed UAP methods do not provide an official baseline on CIFAR-10. This work reproduces the UAP algorithms on the CIFAR-10 dataset.

  • Simplex noise generate in 4D dimensions: The setting is the same as the procedural adversarial noise attack experiment.

  • Worley noise impacted on 100 points: The setting is the same as the procedural adversarial noise attack experiment.

  • Universal adversarial perturbation (UAP) (Moosavi-Dezfooli et al., 2017): It is a vanilla universal adversarial generation method, which is data-driven.

  • Generalizable data-independent Universal Adversarial Perturbation (GD-UAP) (Mopuri et al., 2019): On CIFAR-10, only data-independent methods are tested.

  • Universal adversarial network (UAN) (Hayes and Danezis, 2018): The method is based on generative models to produce perturbations from a clean dataset.

  • Network for the adversarial generation (NAG) (Mopuri et al., 2018)

    : The generative adversarial network is introduced to sample and produce perturbations.

As shown in Fig. 9, our proposed method surpass the state-of-the-art UAP generation methods on CIFAR-10 when the perturbation budget satisfies .

Figure 9: Universal adversarial perturbation attacks on VGG19 (Simonyan and Zisserman, 2015) on CIFAR-10.

4.5 Hyper-parameter Experiment

In this sub-section, two hyper-parameters of our proposed methods would be checked on their performance metrics under different values. The iteration step is the hyper-parameter for the Simplex noise attack method, which is defined as in Algorithm 1. Perturbed point number is the hyper-parameter for Worley noise attack which is defined as in Algorithm 2.

On ImageNet, we test the “Simplex4D” scenario with different iteration steps while the perturbed point number in Worley noise attack method would be changed. The result of hyper-parameter experiment is illustrated in Fig. 10 and Fig. 11.

Figure 10: Evasion rate of Simplex attack method with different iteration steps on ImageNet.
Figure 11: Easion rate of Worley attack method with different perturbed point numbers on ImageNet.

On CIFAR-10, we also test the “Simplex4D” scenario with different iteration steps in a smaller search space while the perturbed point number in Worley noise attack method would vary. The result of hyper-parameter experiment is illustrated in Fig. 12 and Fig. 13.

Figure 12: Evasion rate of Simplex attack method with different iteration steps on CIFAR-10.
Figure 13: Evasion rate of Worley attack method with different perturbed point numbers on CIFAR-10.

As can be seen from Fig. 10, Fig. 11, Fig. 12, and Fig. 13, the iteration step size would matter in Simplex noise attack when the image size is large (e.g., ImageNet data). Otherwise, the settings of such parameters would not matter.

4.6 Experiment of Denoising-based Defense Methods

Figure 14: Experiment of denoising defense on the ImageNet dataset. Fig. (a) illustrates the experiment of denoising methods combined with InceptionV3 (Szegedy et al., 2016) against adversarial noise attack. Fig. (b) illustrates the experiment of denoising methods combined with VGG19 (Simonyan and Zisserman, 2015) against adversarial noise attack. Fig. (c) illustrates the experiment of denoising methods combined with ResNet50 (He et al., 2016). Fig. (d) illustrates the experiment of denoising methods combined with NAS (Zoph and Le, 2017).
Figure 15: Experiment of denoising defense on CIFAR-10. Fig. (a) illustrates the experiment of denoising methods combined with NIN (Lin et al., 2014) against adversarial noise attack. Fig. (b) illustrates the experiment of denoising methods combined with VGG19 (Simonyan and Zisserman, 2015) against adversarial noise attack. Fig. (c) illustrates the experiment of denoising methods combined with ResNet50 (He et al., 2016). Fig. (d) illustrates the experiment of denoising methods combined with SENet (Hu et al., 2018).

In the denoising experiment on ImageNet, we use the Gaussian filter, bilateral filter, and median filter for denoising defense. The attack type is set similar to the experiment of adversarial noise attack. We only test in the scenario when the perturbation budget of -norm attack is set to 0.0465. The experiment result is showed in Fig. 14, in which we can obtain the coarse conclusion that denoising methods have no effect on the ImageNet dataset. It perhaps accords the hypothesis (Simon-Gabriel et al., 2018; Shafahi et al., 2019; Gilmer et al., 2018) that the neural network with large class numbers are inclined to be more vulnerable.

The result on CIFAR-10 with is completely different. As Fig. 15

illustrates, bilateral filtering and denoising autoencoder (denoising AE) are the two best methods that can guarantee robust accuracy. The F-Principle perhaps works when the image class number is not large because the bilateral-filter-based denoising method shows the superior performance on the defense under the procedural adversarial noise attack.

In summary, denoising methods are ineffective for complex image classes in high-dimensional spaces, however, when the image class number is not big, denoising methods with AE or bilateral filtering are helpful to improve the performance of robust accuracy. Taken VGG-19 as an example, when the perturbation budget of -norm attack is set to 0.0465, the robust accuracies with the bilateral filtering are: 0.8590 (Simplex2D), 0.8596 (Simplex3D), 0.858 (Simplex4D), 0.8599 (Worley_50points), and 0.8595 (Worley_100points). The robust accuracies with the denoising AE on VGG-19 are: 0.8646 (Simplex2D), 0.8616 (Simplex3D), 0.8635 (Simplex4D), 0.8688 (Worley_50points), and 0.8732 (Worley_100points). Compared with the AE-based denoising method, the bilateral-filter-based denoising method does not require additional training process. The experiment result verifies the F-Principle that the robustness of the neural networks is related to both the low-frequency elements and a little high-frequency elements.

4.7 Experiment of Defense Methods in the RealSafe (Dong et al., 2020) Benchmark

In this experiment, we keep the adversarial noise setting in the denoising experiment.

On ImageNet, the experiment is implemented on Inception v3 (Inc-v3) (Szegedy et al., 2016), ensemble adversarial training (Ens-AT) (Tramèr et al., 2018)

, adversarial logit pairing (ALP) 

(Kannan et al., 2018), feature denoising (FD) (Xie et al., 2019), JPEG compression (JPEG) (Dziugaite et al., 2016), bit-depth reduction (Bit-Red) (Xu et al., 2018)

, random resizing and padding (RandomResizingPadding, RP) 

(Xie et al., 2018), and RandMix (Zhang and Liang, 2019). The experiment result is illustrated in Table 3. As we can see, the model performance of Ens-AT (Tramèr et al., 2018) does not degrade too much under most adversarial noise attacks except Worley noise, the performance of denoising training model (Xie et al., 2019) is stable with the cost of test accuracy.

Gaussian SP Gabor Perlin Simplex2D Simplex3D Simplex4D Worley50 Worley100
Inc-v3 0.7804 0.7722 0.5785 0.5343 0.7290 0.7270 0.7330 0.3293 0.3228
Ens-AT 0.7413 0.7234 0.6239 0.6473 0.7060 0.7050 0.7150 0.5270 0.5593
ALP 0.4844 0.4800 0.4598 0.4621 0.4620 0.4540 0.4580 0.3855 0.4616
FD 0.6422 0.6413 0.6300 0.6342 0.6320 0.6330 0.6330 0.6326 0.6328
JPEG 0.7705 0.7591 0.5578 0.5546 0.7140 0.7030 0.7040 0.3311 0.3442
Bit-Red 0.6576 0.6523 0.5340 0.5541 0.6920 0.6770 0.6760 0.4398 0.4533
RP 0.7512 0.7280 0.5402 0.5198 0.6938 0.6894 0.6887 0.3052 0.3191
RandMix 0.5330 0.5192 0.3432 0.4125 0.4997 0.4928 0.4934 0.3259 0.3576
Table 3: DEFENSE METHODS OF REALSAFE (Dong et al., 2020) AGAINST PROCEDURAL ADVERSARIAL NOISE ATTACKS ON IMAGENET

On CIFAR-10, the defense models include: ResNet-56 (Res-56) (He et al., 2016), PGD-based adversarial training (PGD-AT) (Madry et al., 2018), DeepDefense (Yan et al., 2018), TRADES (Zhang et al., 2019), convex outer polytope (ConvexDefense) (Wong et al., 2018), JPEG compression (JPEG) (Dziugaite et al., 2016), random self-ensemble (RSE) (Liu et al., 2018), and adaptive diversity promoting (ADP) (Pang et al., 2019). The result is illustrated in Table 4, it seems that PGD-AT (Madry et al., 2018), TRADES (Zhang et al., 2019), and RSE (Liu et al., 2018) are robust against these attacks which means that adversarial training and ensemble are two effective methods that help improve the robustness of the neural network models.

Gaussian SP Gabor Perlin Simplex2D Simplex3D Simplex4D Worley50 Worley100
Res-56 0.9177 0.8104 07620 0.6329 0.5054 0.4787 0.4801 0.5604 0.516
PGD-AT 0.8716 0.8652 0.8519 0.8551 0.8547 0.8569 0.8622 0.8590 0.8597
DeepDefense 0.7797 0.6457 0.6140 0.5283 0.4074 0.3076 0.4033 0.5445 0.4922
TRADES 0.8505 0.8431 0.8305 0.8299 0.8293 0.8301 0.8293 0.8281 0.8294
Convex 0.6579 0.6596 0.6524 0.6582 0.6591 0.6606 0.6590 0.6571 0.6590
JPEG 0.8859 0.7330 0.6693 0.5671 0.4359 0.4159 0.4139 0.5182 0.4371
RSE 0.8579 0.8575 0.8379 0.8535 0.8538 0.8551 0.8561 0.8554 0.8578
ADP 0.9325 0.8870 0.8262 0.7471 0.6306 0.6131 0.6075 0.7404 0.6982
Table 4: DEFENSE METHODS OF REALSAFE (Dong et al., 2020) AGAINST PROCEDURAL ADVERSARIAL NOISE ATTACKS ON CIFAR-10

We also test the defense methods on our proposed method and other universal adversarial perturbation generation methods: Simplex4D, Worley100 (with 100 perturbed points), UAP (Moosavi-Dezfooli et al., 2017), FFF (Mopuri et al., 2017), and GD-UAP (Mopuri et al., 2019) in three settings (data, free, range prior). The UAP-based adversarial examples are generated on InceptionV1 (Szegedy et al., 2015), while FFF-based adversarial examples and GD-UAP examples are generated on VGG-19 (Simonyan and Zisserman, 2015). As TABLE 5 illustrates, JPEG defense and ensemble adversarial training are two effective methods for defense on universal adversarial perturbations.

UAP FFF GD-UAP (data) GD-UAP (free) GD-UAP (range prior)  Simplex4D Worley100
Inc-v3 0.633 0.569 0.405 0.564 0.446 0.733 0.3228
Ens-AT 0.622 0.585 0.494 0.572 0.523 0.71 0.5593
ALP 0.339 0.282 0.292 0.26 0.293 0.458 0.4616
FD 0.479 0.442 0.436 0.444 0.429 0.633 0.6328
JPEG 0.6449 0.584 0.411 0.576 0.464 0.704 0.3442
Bit-Red 0.537 0.488 0.407 0.473 0.444 0.676 0.4533
RP 0.588 0.5279 0.3958 0.5158 0.4375 0.6887 0.3191
RandMix 0.4073 0.373 0.3297 0.3706 0.3435 0.4934 0.3576
Table 5: DEFENSE METHODS OF REALSAFE (Dong et al., 2020) AGAINST UNIVERSAL ADVERSARIAL PERTURBATIONS ON IMAGENET

In summary, adversarial training methods (Madry et al., 2018; Zhang et al., 2019; Tramèr et al., 2018) are effective methods to defend the procedural adversarial noise attacks and universal adversarial perturbations.

4.8 Discussion

  • Why are the proposed two attacks effective for fooling neural networks? In real world, human eyes would be interfered by the shadings. The procedural adversarial noise attack based on the computer graphics rendering technologies can generate shadings with the inspiration of the interference mechanism in human perception systems. It leads to the deception against the neural networks. Currently, there are no effective methods to separate and remove shadows (Sanin et al., 2012). Moreover, adding universal adversarial perturbations based on procedural noise functions is to augment the high-frequency elements which can cause uncertainty in the pixel domain. Last but not least, current computer vision algorithms are based on the mechanism of pixel recognition instead of global semantic understanding which leads to the vulnerabilities under the attacks.

  • The cost of the procedural adversarial noise attack. Procedural adversarial noise attack is -norm attack which aims to limit or minimize the amount that any pixel is perturbed to achieve an adversary’s goal. In some scenarios, using -norm attack would affect the quality of the image, although it does not change the meaning of the image. In the paper, our proposed Simplex noise attack method and Worley noise attack method do not depend on the model’s prior knowledge and achieve a considerable result with the metrics of evasion rate. The computation cost of Simplex noise is with dimensions compared to the of Perlin noise. However, to generate such procedural adversarial noises, the iteration on the whole image space is needed.

  • What are potentially effective defense technologies? Frequency Principle (F-Principle) can interpret the robustness of neural network models. As the result of the denoising defense experiments on CIFAR-10 illustrates, both low-frequency elements related to image features and high-frequency elements connected with robustness are important. The performance of the bilateral filtering denoising method based on bandpass filter surpasses the performance of the denoising methods based on Gaussian filter and median filter. Moreover, adversarial robustness can be realized via adversarial training. Madry et al. (Madry et al., 2018) pointed out that there exists a “gradient penalty” phenomenon in adversarial training. Adding perturbations is the operation of gradient ascent which penalizes the descending gradient for optimization not to be too large. This “gradient penalty” mechanism guarantees the robustness in deep learning. The empirical study on ImageNet validates the analysis further that the InceptionV3 model which is trained with augmented perturbations from diverse CNNs (Ens-AT) (Tramèr et al., 2018) is robust to the noises except Worley noise. It can also be seen as the evidence supporting the effectiveness of adversarial training.

5 Conclusion

The research on universal adversarial perturbations (UAPs) is explorable. Procedural adversarial noise is one type of UAPs. In this paper, we propose two procedural adversarial noise attack methods to craft image-agnostic universal adversarial perturbations (UAPs): Simplex noise and Worley noise. Our proposed attack methods surpass the state-of-the-art procedural adversarial noise methods on ImageNet and CIFAR-10. An empirical study is made to compare our methods with other black-box adversarial attack methods and universal adversarial perturbation attack methods. The effectiveness of the adversarial noise attack method lies in the shading generated by the rendering technologies which disturbs the classification abilities of neural networks. Discomfort with the shading does not only exist in the machine vision systems but also in the human perception system. It raises a security challenge of the current deep-learning-based visual system. Moreover, an empirical study of the defense methods on the procedural adversarial noises is illustrated. The results of our defense experiments validate some theoretical analysis of robustness in deep learning. Several findings can be highlighted: 1) In the denoising-based defense experiment on CIFAR-10, the methods satisfied with the Frequency Principle (F-Principle) boost the robustness under the adversarial attack; 2) In the defense experiment of RealSafe benchmark, the adversarial training methods with “gradient penalty” mechanism provides a robustness guarantee under the procedural adversarial noise attack. Our work provides a little inspiration for the research on universal adversarial perturbations (UAP). This may boost the research to improve the robustness of neural networks.

Acknowledgements.
This work was supported by the National Natural Science Foundation of China under Grant No. 61701348. The authors would like to thank TUEV SUED for the kind and generous support.

References

  • A. Athalye, N. Carlini, and D. A. Wagner (2018a) Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples. In Proceedings of the 35th International Conference on Machine Learning (ICML), 2018, Proceedings of Machine Learning Research, pp. 274–283.. Cited by: §1.
  • A. Athalye, L. Engstrom, A. Ilyas, and K. Kwok (2018b) Synthesizing robust adversarial examples. In Proceedings of the 35th International Conference on Machine Learning, ICML, 2018, Proceedings of Machine Learning Research, Vol. 80, pp. 284–293.. Cited by: §1.
  • W. Brendel, J. Rauber, and M. Bethge (2018) Decision-based adversarial attacks: reliable attacks against black-box machine learning models. In 6th International Conference on Learning Representations (ICLR), Cited by: §1, §2.1.
  • N. Carlini, A. Athalye, N. Papernot, W. Brendel, J. Rauber, D. Tsipras, I. J. Goodfellow, A. Madry, and A. Kurakin (2019) On evaluating adversarial robustness. CoRR abs/1902.06705.. Cited by: §1.
  • N. Carlini and D. A. Wagner (2017) Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy (SP), 2017, pp. 39–57.. Cited by: §1.
  • K. T. Co, L. Gonzalez, S. de Maupeou, and E. C. Lupu (2019a) Procedural noise adversarial examples for black-box attacks on deep convolutional networks. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS, 2019, pp. 275–289.. Cited by: §1, §2.1, 4th item, §4.1.
  • K. T. Co, L. Muñoz-González, S. de Maupeou, and E. C. Lupu (2019b) Sensitivity of deep convolutional networks to gabor noise. CoRR abs/1906.03455.. Cited by: §1, §2.1, 3rd item.
  • Y. Dong, Q. Fu, X. Yang, T. Pang, H. Su, Z. Xiao, and J. Zhu (2020) Benchmarking adversarial robustness on image classification. In IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 318–328.. Cited by: §1, §2.2, §2.2, §4.7, Table 3, Table 4, Table 5, §4.
  • Y. Dong, F. Liao, T. Pang, H. Su, J. Zhu, X. Hu, and J. Li (2018) Boosting adversarial attacks with momentum. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 9186–9193.. Cited by: §2.1, §4.3, §4.3, §4.3.
  • G. K. Dziugaite, Z. Ghahramani, and D. M. Roy (2016) A study of the effect of JPG compression on adversarial images. CoRR abs/1608.00853.. Cited by: §4.7, §4.7.
  • W. E, C. Ma, and L. Wu (2019) Machine learning from a continuous viewpoint. CoRR abs/1912.12777.. Cited by: §2.2.
  • A. Fawzi, H. Fawzi, and O. Fawzi (2018) Adversarial vulnerability for any classifier. In 31st Annual Conference on Neural Information Processing Systems (NeurIPS), pp. 1186–1195.. Cited by: §2.2.
  • J. Gilmer, L. Metz, F. Faghri, S. S. Schoenholz, M. Raghu, M. Wattenberg, and I. J. Goodfellow (2018) Adversarial spheres. In 6th International Conference on Learning Representations (ICLR), Cited by: §2.2, §4.6.
  • I. J. Goodfellow, J. Shlens, and C. Szegedy (2015) Explaining and harnessing adversarial examples. In 3rd International Conference on Learning Representations (ICLR), Cited by: §1.
  • C. Guo, J. R. Gardner, Y. You, A. G. Wilson, and K. Q. Weinberger (2019) Simple black-box adversarial attacks. In Proceedings of the 36th International Conference on Machine Learning (ICML), Proceedings of Machine Learning Research, Vol. 97, pp. 2484–2493.. Cited by: §1, §2.1, 3rd item, 4th item, 3rd item, 4th item, §4.3, §4.3.
  • S. Gustavson (2005) Simplex noise demystified. Technical report External Links: Link Cited by: §3.2.
  • J. Hayes and G. Danezis (2018) Learning universal adversarial perturbations with generative models. In IEEE Security and Privacy Workshops, SP Workshops, pp. 43–49.. Cited by: §1, §2.1, 5th item, §4.4.
  • K. He, X. Zhang, S. Ren, and J. Sun (2016) Deep residual learning for image recognition. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 770–778.. Cited by: §1, Figure 14, Figure 15, Figure 4, Figure 5, 5th item, §4.2, §4.2, §4.3, §4.7.
  • J. Hu, L. Shen, and G. Sun (2018) Squeeze-and-excitation networks. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 7132–7141.. Cited by: §1, Figure 15, Figure 5, §4.2, §4.2.
  • A. Ilyas, L. Engstrom, A. Athalye, and J. Lin (2018) Black-box adversarial attacks with limited queries and information. In Proceedings of the 35th International Conference on Machine Learning (ICML), Proceedings of Machine Learning Research, Vol. 80, pp. 2142–2151.. Cited by: §1, §2.1.
  • S. Ioffe and C. Szegedy (2015) Batch normalization: accelerating deep network training by reducing internal covariate shift. In 32nd Proceedings of the 32nd International Conference on Machine Learning (ICML), Vol. 37, pp. 448–456.. Cited by: §1.
  • H. Kannan, A. Kurakin, and I. J. Goodfellow (2018) Adversarial logit pairing. CoRR abs/1803.06373.. Cited by: §4.7.
  • V. Khrulkov and I. V. Oseledets (2018) Art of singular vectors and universal adversarial perturbations. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 8562–8570.. Cited by: §1, §2.1.
  • A. Krizhevsky and G. Hinton (2009) A learning multiple layers of features from tiny images. Technical report, University of Toronto. External Links: Link Cited by: 1st item, §4.
  • A. Krizhevsky, I. Sutskever, and G. E. Hinton (2012) ImageNet classification with deep convolutional neural networks. In 26th Annual Conference on Neural Information Processing Systems (NeurIPS), pp. 1106–1114.. Cited by: §1.
  • A. Kurakin, I. J. Goodfellow, and S. Bengio (2017) Adversarial examples in the physical world. In 5th International Conference on Learning Representations (ICLR), Cited by: §1, §2.1, §4.3, §4.3, §4.3.
  • A. Lagae, S. Lefebvre, R. L. Cook, T. DeRose, G. Drettakis, D. S. Ebert, J. P. Lewis, K. Perlin, and M. Zwicker (2010) A survey of procedural noise functions. Comput. Graph. Forum 29 (8), pp. 2579–2600.. Cited by: §1, §2.1.
  • A. Lagae, S. Lefebvre, G. Drettakis, and P. Dutré (2009) Procedural noise using sparse gabor convolution. ACM Trans. Graph. 28 (3), pp. 54.. Cited by: §2.1.
  • Y. Li, L. Li, L. Wang, T. Zhang, and B. Gong (2019) NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In Proceedings of the 36th International Conference on Machine Learning (ICML), Proceedings of Machine Learning Research, Vol. 97, pp. 3866–3876.. Cited by: §1, §2.1.
  • M. Lin, Q. Chen, and S. Yan (2014) Network in network. In 2nd International Conference on Learning Representations (ICLR), Cited by: §1, Figure 15, Figure 5, §4.2.
  • X. Liu, M. Cheng, H. Zhang, and C. Hsieh (2018) Towards robust neural networks via random self-ensemble. In Computer Vision - ECCV - 15th European Conference, 2018, Lecture Notes in Computer Science, Vol. 11211, pp. 381–397.. Cited by: §4.7.
  • A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu (2018) Towards deep learning models resistant to adversarial attacks. In 6th International Conference on Learning Representations (ICLR), Cited by: §1, §2.1, §2.2, 3rd item, §4.3, §4.3, §4.3, §4.7, §4.7.
  • S. Moon, G. An, and H. O. Song (2019) Parsimonious black-box adversarial attacks via efficient combinatorial optimization. In Proceedings of the 36th International Conference on Machine Learning (ICML), Proceedings of Machine Learning Research, Vol. 97, pp. 4636–4645.. Cited by: §1, §2.1, 5th item, 5th item, §4.3, §4.3.
  • S. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, P. Frossard, and S. Soatto (2018) Robustness of classifiers to universal perturbations: A geometric perspective. In 6th International Conference on Learning Representations (ICLR), Cited by: §2.2.
  • S. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard (2017) Universal adversarial perturbations. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 4312–4321.. Cited by: §1, §1, §2.1, §3.1, 3rd item, 3rd item, §4.4, §4.7.
  • S. Moosavi-Dezfooli, A. Fawzi, and P. Frossard (2016) DeepFool: A simple and accurate method to fool deep neural networks. In IEEE Conference on Computer Vision and Pattern Recognition, (CVPR), pp. 2574–2582.. Cited by: §1.
  • K. R. Mopuri, U. Garg, and V. B. Radhakrishnan (2017) Fast feature fool: A data independent approach to universal adversarial perturbations. In British Machine Vision Conference 2017 (BMVC), Cited by: §1, §2.1, 4th item, §4.4, §4.7.
  • K. R. Mopuri, U. Ojha, U. Garg, and R. V. Babu (2018) NAG: network for adversary generation. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 742–751.. Cited by: §1, §2.1, 6th item, §4.4.
  • V. R. Mopuri, A. Ganeshan, and R. V. Babu (2019) Generalizable data-free objective for crafting universal adversarial perturbations. IEEE Trans. Pattern Anal. Mach. Intell. 41 (10), pp. 2452–2465.. Cited by: §1, §2.1, 5th item, 4th item, §4.4, §4.7.
  • M. Olano, J. C. Hart, W. Heidrich, B. Mark, and K. Perlin (2002) Real-time shading languages. In Course 36 Notes, the 29th Annual Conference on Computer Graphics and Interactive Techniques (SIGGRAPH), Cited by: §2.1, §3.2, §3.2.
  • T. Pang, K. Xu, C. Du, N. Chen, and J. Zhu (2019) Improving adversarial robustness via promoting ensemble diversity. In Proceedings of the 36th International Conference on Machine Learning (ICML), Proceedings of Machine Learning Research, pp. 4970–4979.. Cited by: §4.7.
  • N. Papernot, P. D. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik, and A. Swami (2016) The limitations of deep learning in adversarial settings. In IEEE European Symposium on Security and Privacy (EuroS&P), pp. 372–387.. Cited by: §1.
  • K. Perlin (1985) An image synthesizer. In Proceedings of the 12th Annual Conference on Computer Graphics and Interactive Techniques (SIGGRAPH), pp. 287–296.. Cited by: §2.1.
  • Perlin (2002) Improving noise. ACM Trans. Graph. 21 (3), pp. 681–682.. Cited by: §2.1.
  • N. Rahaman, D. Arpit, A. Baratin, F. Draxler, M. Lin, F. A. Hamprecht, Y. Bengio, and A. C. Courville (2018) On the spectral bias of deep neural networks. CoRR abs/1806.08734.. Cited by: §2.2.
  • A. S. Ross and F. Doshi-Velez (2018) Improving the adversarial robustness and interpretability of deep neural networks by regularizing their input gradients. In

    Proceedings of the Thirty-Second AAAI Conference on Artificial Intelligence, (AAAI-18), the 30th innovative Applications of Artificial Intelligence (IAAI-18), and the 8th AAAI Symposium on Educational Advances in Artificial Intelligence (EAAI-18), New Orleans, Louisiana, USA, February 2-7, 2018

    ,
    pp. 1660–1669.. Cited by: §2.2.
  • O. Russakovsky, J. Deng, H. Su, J. Krause, S. Satheesh, S. Ma, Z. Huang, A. Karpathy, A. Khosla, M. S. Bernstein, A. C. Berg, and F. Li (2015) ImageNet large scale visual recognition challenge. Int. J. Comput. Vis. 115 (3), pp. 211–252.. Cited by: 1st item, §4.
  • A. Sanin, C. Sanderson, and B. C. Lovell (2012) Shadow detection: A survey and comparative evaluation of recent methods. Pattern Recognit. 45 (4), pp. 1684–1695.. Cited by: 1st item.
  • A. Shafahi, W. R. Huang, C. Studer, S. Feizi, and T. Goldstein (2019) Are adversarial examples inevitable?. In 7th International Conference on Learning Representations (ICLR), Cited by: §2.2, §4.6.
  • C. Simon-Gabriel, Y. Ollivier, B. Schölkopf, L. Bottou, and D. Lopez-Paz (2018) Adversarial vulnerability of neural networks increases with input dimension. CoRR abs/1802.01421.. Cited by: §2.2, §4.6.
  • K. Simonyan and A. Zisserman (2015) Very deep convolutional networks for large-scale image recognition. In 3rd International Conference on Learning Representations (ICLR), Cited by: §1, Figure 14, Figure 15, Figure 4, Figure 5, Figure 6, Figure 7, Figure 8, Figure 9, 4th item, §4.2, §4.2, §4.3, §4.3, §4.3, §4.4, §4.7.
  • A. S. Suggala, A. Prasad, V. Nagarajan, and P. Ravikumar (2019) Revisiting adversarial risk. In 22nd International Conference on Artificial Intelligence and Statistics (AISTATS), Proceedings of Machine Learning Research, Vol. 89, pp. 2331–2339.. Cited by: §2.2.
  • C. Szegedy, S. Ioffe, V. Vanhoucke, and A. A. Alemi (2017)

    Inception-v4, inception-resnet and the impact of residual connections on learning

    .
    In Proceedings of the Thirty-First AAAI Conference on Artificial Intelligence, pp. 4278–4284.. Cited by: §1.
  • C. Szegedy, W. Liu, Y. Jia, P. Sermanet, S. E. Reed, D. Anguelov, D. Erhan, V. Vanhoucke, and A. Rabinovich (2015) Going deeper with convolutions. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 1–9.. Cited by: §1, 4th item, §4.7.
  • C. Szegedy, V. Vanhoucke, S. Ioffe, J. Shlens, and Z. Wojna (2016) Rethinking the inception architecture for computer vision. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2016, pp. 2818–2826.. Cited by: §1, Figure 14, Figure 4, §4.2, §4.3, §4.7.
  • F. Tramèr, A. Kurakin, N. Papernot, I. J. Goodfellow, D. Boneh, and P. D. McDaniel (2018) Ensemble adversarial training: attacks and defenses. In 6th International Conference on Learning Representations (ICLR), Cited by: §2.2, 3rd item, §4.7, §4.7.
  • J. Uesato, B. O’Donoghue, P. Kohli, and A. van den Oord (2018) Adversarial risk and the dangers of evaluating against weak attacks. In Proceedings of the 35th International Conference on Machine Learning (ICML), Proceedings of Machine Learning Research, Vol. 80, pp. 5032–5041.. Cited by: §1, §2.1.
  • H. Wang, X. Wu, Z. Huang, and E. P. Xing (2020) High-frequency component helps explain the generalization of convolutional neural networks. In IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 8681–8691.. Cited by: §2.2.
  • E. Wong, F. R. Schmidt, J. H. Metzen, and J. Z. Kolter (2018) Scaling provable adversarial defenses. In 31st Annual Conference on Neural Information Processing Systems (NeurIPS), pp. 8410–8419.. Cited by: §4.7.
  • S. Worley (1996) A cellular texture basis function. In Proceedings of the 23rd Annual Conference on Computer Graphics and Interactive Techniques (SIGGRAPH), pp. 291–294.. Cited by: §2.1, §3.3.
  • C. Xie, J. Wang, Z. Zhang, Z. Ren, and A. L. Yuille (2018) Mitigating adversarial effects through randomization. In 6th International Conference on Learning Representations (ICLR), Cited by: §4.7.
  • C. Xie, Y. Wu, L. van der Maaten, A. L. Yuille, and K. He (2019) Feature denoising for improving adversarial robustness. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 501–509.. Cited by: §4.7.
  • W. Xu, D. Evans, and Y. Qi (2018) Feature squeezing: detecting adversarial examples in deep neural networks. In Annual Network and Distributed System Security Symposium (NDSS), Cited by: §4.7.
  • Z. J. Xu, Y. Zhang, and Y. Xiao (2019) Training behavior of deep neural network in frequency domain. In International Conference on Neural Information Processing International Conference (ICONIP), Lecture Notes in Computer Science, Vol. 11953, pp. 264–274.. Cited by: §2.2.
  • Z. Yan, Y. Guo, and C. Zhang (2018) Deep defense: training dnns with improved adversarial robustness. In 31st Annual Conference on Neural Information Processing Systems (NeurIPS), pp. 417–426.. Cited by: §4.7.
  • D. Yin, R. G. Lopes, J. Shlens, E. D. Cubuk, and J. Gilmer (2019) A fourier perspective on model robustness in computer vision. In 32nd Annual Conference on Neural Information Processing Systems (NeurIPS), pp. 13255–13265.. Cited by: §2.2.
  • H. Zhang, Y. Yu, J. Jiao, E. P. Xing, L. E. Ghaoui, and M. I. Jordan (2019) Theoretically principled trade-off between robustness and accuracy. In Proceedings of the 36th International Conference on Machine Learning (ICML), Proceedings of Machine Learning Research, Vol. 97, pp. 7472–7482.. Cited by: §2.2, §4.7, §4.7.
  • Y. Zhang and P. Liang (2019) Defending against whitebox adversarial attacks via randomized discretization. In 22nd International Conference on Artificial Intelligence and Statistics (AISTATS), Proceedings of Machine Learning Research, pp. 684–693.. Cited by: §4.7.
  • B. Zoph and Q. V. Le (2017) Neural architecture search with reinforcement learning. In 5th International Conference on Learning Representations (ICLR), Cited by: §1, Figure 14, Figure 4, §4.2, §4.2.