A Method for Adversarial Example Generation Using Wavelet Transformation

AHFE international Pub Date : 2023-01-01 DOI:10.54941/ahfe1004250

Kanato Takahashi, Masaomi Kimura, Imam Mukhlash, Mohammad Iqbal

{"title":"A Method for Adversarial Example Generation Using Wavelet Transformation","authors":"Kanato Takahashi, Masaomi Kimura, Imam Mukhlash, Mohammad Iqbal","doi":"10.54941/ahfe1004250","DOIUrl":null,"url":null,"abstract":"With the advance of Deep Neural Networks (DNN), the accuracy of various tasks in machine learning has dramatically improved. Image classification is one of the most typical tasks. However, various papers have pointed out the vulnerability of DNN.It is known that small changes to an image can easily makes the DNN model misclassify it. The images with such small changes are called adversarial examples. This vulnerability of DNN is a major problem in practical image recognition. There have been researches on the methods to generate adversarial examples and researches on the methods to defense DNN models not to be fooled by adversarial example. In addition, the transferability of the adversarial example can be used to easily attack a model in a black-box attack situation. Many of the attack methods used techniques to add perturbations to images in the spatial domain. However, we focus on the spatial frequency domain and propose a new attack method.Since the low-frequency component is responsible for the overall tendency of color distributions in the images, it is easy to see the change if modified. On the other hand, the high-frequency component of an image holds less information than the low-frequency component. Even if it is changed, the change is less apparent in the appearance of the image. Therefore, it is difficult to perceive an attack on the high-frequency component at a glance, which makes it easy to attack. Thus, by adding perturbation to the high-frequency components of the images, we can expect to generate adversarial examples that appear similar to the original image with human eyes.R. Duan et al. used a discrete cosine transformation for images when focusing on the spatial frequency domain. This was a method by use of quantization, which drops the information that DNN models would have extracted. However, this method has the disadvantage that block-like noise appears in a resultant image because the target image is separated by 8 × 8 to apply the discrete cosine transformation. In order to avoid such disadvantage, we propose a method which applies the wavelet transformation to target images. Reduction of the information in the high-frequency component changes the image with the perturbation that is not noticeable, which results in a smaller change of the image than previous studies. For experiments, the peak signal to noise ratio (PSNR) was used to quantify how much the image was degraded from the original image. In our experiments, we compared the results of our method with different learning rates used to generate perturbations with the previous study and found that the maximum learning rate of our method was about 43, compared to about 32 in the previous study. Unlike previous studies, the attached success rate was also improved without using quantization: our method improved attack accuracy by about 9% compared to the previous work.","PeriodicalId":470195,"journal":{"name":"AHFE international","volume":"3 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"AHFE international","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.54941/ahfe1004250","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

With the advance of Deep Neural Networks (DNN), the accuracy of various tasks in machine learning has dramatically improved. Image classification is one of the most typical tasks. However, various papers have pointed out the vulnerability of DNN.It is known that small changes to an image can easily makes the DNN model misclassify it. The images with such small changes are called adversarial examples. This vulnerability of DNN is a major problem in practical image recognition. There have been researches on the methods to generate adversarial examples and researches on the methods to defense DNN models not to be fooled by adversarial example. In addition, the transferability of the adversarial example can be used to easily attack a model in a black-box attack situation. Many of the attack methods used techniques to add perturbations to images in the spatial domain. However, we focus on the spatial frequency domain and propose a new attack method.Since the low-frequency component is responsible for the overall tendency of color distributions in the images, it is easy to see the change if modified. On the other hand, the high-frequency component of an image holds less information than the low-frequency component. Even if it is changed, the change is less apparent in the appearance of the image. Therefore, it is difficult to perceive an attack on the high-frequency component at a glance, which makes it easy to attack. Thus, by adding perturbation to the high-frequency components of the images, we can expect to generate adversarial examples that appear similar to the original image with human eyes.R. Duan et al. used a discrete cosine transformation for images when focusing on the spatial frequency domain. This was a method by use of quantization, which drops the information that DNN models would have extracted. However, this method has the disadvantage that block-like noise appears in a resultant image because the target image is separated by 8 × 8 to apply the discrete cosine transformation. In order to avoid such disadvantage, we propose a method which applies the wavelet transformation to target images. Reduction of the information in the high-frequency component changes the image with the perturbation that is not noticeable, which results in a smaller change of the image than previous studies. For experiments, the peak signal to noise ratio (PSNR) was used to quantify how much the image was degraded from the original image. In our experiments, we compared the results of our method with different learning rates used to generate perturbations with the previous study and found that the maximum learning rate of our method was about 43, compared to about 32 in the previous study. Unlike previous studies, the attached success rate was also improved without using quantization: our method improved attack accuracy by about 9% compared to the previous work.

查看原文本刊更多论文

一种基于小波变换的对抗样例生成方法

随着深度神经网络(DNN)的发展，机器学习中各种任务的准确性得到了显著提高。图像分类是其中最典型的任务之一。然而，各种论文都指出了DNN的脆弱性。众所周知，图像的微小变化很容易使DNN模型对其进行错误分类。具有如此小变化的图像被称为对抗性示例。深度神经网络的这种漏洞是实际图像识别中的一个主要问题。人们对生成对抗样例的方法和保护DNN模型不被对抗样例愚弄的方法进行了研究。此外，对抗性示例的可转移性可以用于在黑盒攻击情况下轻松攻击模型。许多攻击方法使用的技术，以增加摄动的图像在空间域。然而，我们关注空间频域，提出了一种新的攻击方法。由于低频分量负责图像中颜色分布的总体趋势，因此如果进行修改，很容易看到变化。另一方面，图像的高频成分比低频成分含有更少的信息。即使它被改变了，这种改变在图像的外观上也不那么明显。因此，对高频元件的攻击很难一眼察觉，这使得攻击变得容易。因此，通过对图像的高频成分添加扰动，我们可以期望生成与人眼原始图像相似的对抗性示例。Duan等人在聚焦空间频域时对图像进行离散余弦变换。这是一种使用量化的方法，它放弃了DNN模型所提取的信息。然而，该方法的缺点是，由于目标图像被8 × 8分隔以应用离散余弦变换，因此在合成图像中会出现块状噪声。为了避免这种缺点，我们提出了一种将小波变换应用于目标图像的方法。减少高频分量中的信息会使图像产生不明显的扰动，从而使图像的变化比以往的研究要小。在实验中，使用峰值信噪比(PSNR)来量化图像与原始图像的退化程度。在我们的实验中，我们将我们的方法用不同的学习率产生扰动的结果与之前的研究进行了比较，发现我们的方法的最大学习率约为43，而之前的研究大约为32。与之前的研究不同，在不使用量化的情况下，附加成功率也得到了提高:我们的方法与之前的工作相比，攻击准确率提高了约9%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

AHFE international

自引率

0.00%

发文量