Generative Imperceptible Attack With Feature Learning Bias Reduction and Multi-Scale Variance Regularization

Weicheng Xie, Zenghao Niu, Qinliang Lin, Siyang Song, Linlin Shen

Research output: Journal PublicationArticlepeer-review

Abstract

Existing studies have shown that malicious and imperceptible adversarial samples may significantly weaken the reliability and validity of deep learning systems. Since gradient-based attack algorithms may result in higher generation latency or demand large computation overhead, generative attack methods are frequently considered. However, the effectiveness and imperceptibility are still the main concerns for these generative attacks, 1) biased feature learning may occur, i.e., these algorithms may generate undesirable feature perturbations for samples that are less likely to be successfully attacked; 2) the produced perturbation noises may be easily perceived by human eyes. To this end, we propose a novel generative attack by manipulating the feature update. The proposed algorithm has two main merits, 1) our Bias-reduced Feature Manipulation (BrFM) that differentiates the hard-to-attack (Hard2Attack) and easy-to-attack (Easy2Attack) features, can avoid the possible learning shortcut for different difficulties of features in attack process, by customizing perturbations for Hard2Attack features to make them behave oppositely to those of benign features; 2) our Multi-scale Variance Regularization (MsVR) can reduce the unnatural transitions of perturbations in mask edges and flat areas with low contrast, while simultaneously trading off a reasonable attack capacity. Extensive experiments on the datasets of Caltech-101 and Imagenette in terms of the attack success rate and four imperceptibility metrics, show the effectiveness of our attack paradigm over the related state-of-the-art generative attack methods. Our codes will be made publicly available.

Original languageEnglish
Pages (from-to)7924-7938
Number of pages15
JournalIEEE Transactions on Information Forensics and Security
Volume19
DOIs
Publication statusPublished - 2024

Keywords

  • Generative adversarial attack
  • feature regularization loss
  • imperceptibility metric
  • imperceptible perturbation
  • robust object classification

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Generative Imperceptible Attack With Feature Learning Bias Reduction and Multi-Scale Variance Regularization'. Together they form a unique fingerprint.

Cite this