Steganographic universal adversarial perturbations

S. Ud Din; N. Akhtar; S. Younis; F. Shafait; A. Mansoor; M. Shafique

doi:10.1016/j.patrec.2020.04.025

Steganographic universal adversarial perturbations

S. Ud Din, N. Akhtar, S. Younis, F. Shafait, A. Mansoor, M. Shafique

Electrical Engineering

Research output: Contribution to journal › Article › peer-review

Abstract

We propose a steganography based technique to generate adversarial perturbations to fool deep models on any image. The proposed perturbations are computed in a transform domain where a single secret image embedded in any target image makes any deep model misclassify the target image with high probability. The attack resulting from our perturbation is ideal for black-box setting, as it does not require any information about the target model. Moreover, being a non-iterative technique, our perturbation estimation remains computationally efficient. The computed perturbations are also imperceptible to humans while they achieve high fooling ratios for the models trained on large-scale ImageNet dataset. We demonstrate successful fooling of ResNet-50, VGG-16, Inception-V3 and MobileNet-V2, achieving up to 89% fooling of these popular classification models.

Original language	English (US)
Pages (from-to)	146-152
Number of pages	7
Journal	Pattern Recognition Letters
Volume	135
DOIs	https://doi.org/10.1016/j.patrec.2020.04.025
State	Published - Jul 2020

Keywords

Adversarial attack
Deep neural networks
Steganography
Wavelet transform

ASJC Scopus subject areas

Software
Signal Processing
Computer Vision and Pattern Recognition
Artificial Intelligence

Access to Document

10.1016/j.patrec.2020.04.025

Cite this

@article{c45c0085421f40aba3d94f36c7270473,

title = "Steganographic universal adversarial perturbations",

abstract = "We propose a steganography based technique to generate adversarial perturbations to fool deep models on any image. The proposed perturbations are computed in a transform domain where a single secret image embedded in any target image makes any deep model misclassify the target image with high probability. The attack resulting from our perturbation is ideal for black-box setting, as it does not require any information about the target model. Moreover, being a non-iterative technique, our perturbation estimation remains computationally efficient. The computed perturbations are also imperceptible to humans while they achieve high fooling ratios for the models trained on large-scale ImageNet dataset. We demonstrate successful fooling of ResNet-50, VGG-16, Inception-V3 and MobileNet-V2, achieving up to 89% fooling of these popular classification models.",

keywords = "Adversarial attack, Deep neural networks, Steganography, Wavelet transform",

author = "{Ud Din}, S. and N. Akhtar and S. Younis and F. Shafait and A. Mansoor and M. Shafique",

note = "Publisher Copyright: {\textcopyright} 2020 Elsevier B.V.",

year = "2020",

month = jul,

doi = "10.1016/j.patrec.2020.04.025",

language = "English (US)",

volume = "135",

pages = "146--152",

journal = "Pattern Recognition Letters",

issn = "0167-8655",

publisher = "Elsevier B.V.",

}

TY - JOUR

T1 - Steganographic universal adversarial perturbations

AU - Ud Din, S.

AU - Akhtar, N.

AU - Younis, S.

AU - Shafait, F.

AU - Mansoor, A.

AU - Shafique, M.

PY - 2020/7

Y1 - 2020/7

N2 - We propose a steganography based technique to generate adversarial perturbations to fool deep models on any image. The proposed perturbations are computed in a transform domain where a single secret image embedded in any target image makes any deep model misclassify the target image with high probability. The attack resulting from our perturbation is ideal for black-box setting, as it does not require any information about the target model. Moreover, being a non-iterative technique, our perturbation estimation remains computationally efficient. The computed perturbations are also imperceptible to humans while they achieve high fooling ratios for the models trained on large-scale ImageNet dataset. We demonstrate successful fooling of ResNet-50, VGG-16, Inception-V3 and MobileNet-V2, achieving up to 89% fooling of these popular classification models.

AB - We propose a steganography based technique to generate adversarial perturbations to fool deep models on any image. The proposed perturbations are computed in a transform domain where a single secret image embedded in any target image makes any deep model misclassify the target image with high probability. The attack resulting from our perturbation is ideal for black-box setting, as it does not require any information about the target model. Moreover, being a non-iterative technique, our perturbation estimation remains computationally efficient. The computed perturbations are also imperceptible to humans while they achieve high fooling ratios for the models trained on large-scale ImageNet dataset. We demonstrate successful fooling of ResNet-50, VGG-16, Inception-V3 and MobileNet-V2, achieving up to 89% fooling of these popular classification models.

KW - Adversarial attack

KW - Deep neural networks

KW - Steganography

KW - Wavelet transform

UR - http://www.scopus.com/inward/record.url?scp=85084109164&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85084109164&partnerID=8YFLogxK

U2 - 10.1016/j.patrec.2020.04.025

DO - 10.1016/j.patrec.2020.04.025

M3 - Article

SN - 0167-8655

VL - 135

SP - 146

EP - 152

JO - Pattern Recognition Letters

JF - Pattern Recognition Letters

ER -

Steganographic universal adversarial perturbations

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this