Keywords
Convolutional Neural Networks
High resolution adversarial image
Noise Blowing-Up method
Pixels of Interest
How to Cite
Abstract
Adversarial attacks in the digital image domain pose significant challenges to the robustness of machine learning models. Trained convolutional neural networks (CNNs) are among the leading tools used for the automatic classification of images. They are nevertheless exposed to attacks: Given an input clean image classified by a CNN in a category, carefully designed adversarial images may lead CNNs to erroneous classifications, although humans would still classify "correctly" the constructed adversarial images in the same category as the input image. In this feasibility study, we propose a novel approach to enhance adversarial attacks by incorporating a pixel of interest detection mechanism. Our method involves utilizing the BagNet model to identify the most relevant pixels, allowing the attack to focus exclusively on these pixels and thereby speeding up the process of adversarial attack generation. These attacks are executed in the low-resolution domain, and then the Noise Blowing-Up (NBU) strategy transforms the low-resolution adversarial images into high-resolution adversarial images. The PoI+NBU strategy is tested on an evolutionary-based black-box targeted attack against MobileNet trained on ImageNet using 100 clean images. We observed that this approach increased the speed of the attack by approximately 65%.
References
Koçi, J, Topal, A. O., & Ali, M. (2020). Threat object detection in X-ray images using SSD, R-FCN and Faster R-CNN. 2020 International Conference on Computing, Networking, Telecommunications & Engineering Sciences Applications (CoNTESA), 10-15. https://doi.org/10.1109/CoNTESA50436.2020.9302863
Ghosh, A., Jana, N. D., Das, S., & Mallipeddi, R. (2023). Two-phase evolutionary convolutional neural network architecture search for medical image classification. Journal Articles. https://10.1109/ACCESS.2023.3323705
Khan, M. J., Singh, P. P., Pradhan, B., Alamri, A., & Lee, C.-W. (2023). Extraction of roads using the archimedes tuning process with the quantum dilated convolutional neural network. Sensors, 23(21), 8783. https://doi.org/10.3390/s23218783
Deng, J., Dong, W., Socher, R., Li, L.-J., Li, K., & Li, F.-F. (2009). ImageNet: A large-scale hierarchical image database. 2009 IEEE Conference on Computer Vision and Pattern Recognition, 248-255. https://doi.org/10.1109/CVPR.2009.5206848
Meng, W., Xing, X., Sheth, A., Weinsberg, U., & Lee, W. (2014). Your online interests: Pwned! A pollution attack against targeted advertising. Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, 129-140. https://doi.org/10.1145/2660267.2687258
Hardt, M., & Nath, S. (2012) Privacy-aware personalization for mobile advertising. Proceedings of the 2012 ACM conference on Computer and communications security, 662-673. https://doi.org/10.1145/2382196.2382266
Leprévost, F., Topal, A. O., & Mancellari, E. (2023). Creating high-resolution adversarial images against convolutional neural networks with the noise blowing-up method. In N. T. Nguyen et al. Intelligent Information and Database Systems. ACIIDS 2023 (Lecture Notes in Computer Science, Vol. 13995). https://doi.org/10.1007/978-981-99-5834-4_10
Topal, A. O., Mancellari, E., Leprévost, F., Avdusinovic, E., & Gillet, T. (2024). The noise blowing-up strategy creates high-quality, high-resolution adversarial images against convolutional neural networks. Applied Sciences, 14(8). https://doi.org/10.3390/app14083493
Leprévost, F., Topal, A. O., Mancellari, E., & Lavangnananda, K. (2023). Zone-of interest strategy for the creation of high-resolution adversarial images against convolutional neural networks. 2023 15th International Conference on Information Technology and Electrical Engineering (ICITEE), 127-132. https://doi.org/10.1109/ICITEE59582.2023.10317668
Topal, A. O., Chitic, R., & Leprévost, F. (2023). One evolutionary algorithm deceives humans and ten convolutional neural networks trained on ImageNet at image recognition. Applied Soft Computing, 143. https://doi.org/10.1016/j.asoc.2023.110397
Howard, A. G., Zhu, M., Chen, B., Kalenichenko, D., Wang, W., Weyand, T., Andreetto, M., & Adam, H. (2017). MobileNets: Efficient convolutional neural networks for mobile vision applications. arXiv preprint arXiv:1704.04861. https://doi.org/10.48550/arXiv.1704.04861
Varrette, S., Bouvry, P., Cartiaux, H., & Georgatos, F. (2014). Management of an academic HPC cluster: The UL experience. 2014 International Conference on High Performance Computing & Simulation, 959-967. https://doi.org/10.1109/HPCSim.2014.6903792
Biggio, B., Corona, I., Maiorca, D., Nelson, B., Šrndić, N., Laskov, P., Giacinto, G., & Roli, F. (2013). Evasion attacks against machine learning at test time. Machine Learning and Knowledge Discovery in Databases, 387-402. https://doi.org/10.1007/978-3-642-40994-3_25
Carlini, N., & Wagner, D. (2017). Towards evaluating the robustness of neural networks. 2017 IEEE Symposium on Security and Privacy, 39-57. https://doi.org/10.1109/SP.2017.49
Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., Fergus, R. (2013). Intriguing properties of neural networks. arXiv:1312.6199v4. https://doi.org/10.48550/arXiv.1312.6199
Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z. B., & Swami, A. (2016). The Limitations of Deep Learning in Adversarial Settings. 2016 IEEE European Symposium on Security and Privacy, 372-387. https://doi.org/10.1109/EuroSP.2016.36
Chitic, R., Bernard, N., Leprévost, F. (2020). A proof of concept to deceive humans and machines at image classification with evolutionary algorithms. Intelligent Information and Database Systems, 467-480. https://doi.org/10.1007/978-3-030-42058-1_39
Chitic, R., Leprévost, F., Bernard, N. (2020). Evolutionary algorithms deceive humans and machines at image classification: An extended proof of concept on two scenarios. Journal of Information and Telecommunication, 5(1), 1-23. https://doi.org/10.1080/24751839.2020.1829388
Brendel, W., & Bethge, M. (2019). Approximating CNNs with bag-of-local-features models works surprisingly well on ImageNet. International Conference on Learning Representations. https://doi.org/10.48550/arXiv.1904.00760
Ester, M., Kriegel, H.-P., Sander, J. & Xu, X. (1996). A density-based algorithm for discovering clusters in large spatial databases with noise. Proceedings of the Second International Conference on Knowledge Discovery and Data Mining, 226-231. https://dl.acm.org/doi/10.5555/3001460.3001507
Su, J., Vargas, D. V., & Sakurai, K. (2019). One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation, 23(5), 828-841. https://doi.org/10.1109/TEVC.2019.2890858
Li, Y., Pan, Q., Feng, Z., & Cambria, E. (2023). Few pixels attacks with generative model. Pattern Recognition, 144, 109849. https://doi.org/10.1016/j.patcog.2023.109849
Goodfellow, I. J., Shlens, J., & Szegedy, C. (2015). Explaining and harnessing adversarial examples. arXiv:1412.6572. https://doi.org/10.48550/arXiv.1412.6572
Madry, A., Makelov, A., Schmidt, L., Tsipras, D., & Vladu, A. (2019). Towards deep learning models resistant to adversarial attacks. arXiv:1706.06083. https://doi.org/10.48550/arXiv.1706.06083
Kurakin, A., Goodfellow, I., & Bengio, S. (2016). Adversarial examples in the physical world. arXiv:1607:02533. https://doi.org/10.48550/arXiv.1607.02533
Guo, C., Gardner, J. R., You, Y., Wilson, A. G., & Weinberger, K. Q. (2019). Simple black-box adversarial attacks. Proceedings of the 36th International Conference on Machine Learning, 4410-4423. https://doi.org/10.48550/arXiv.1905.07121
Targonski, C. (2019). TensorFlow implementation of generating adversarial examples with adversarial networks. GitHub. https://github.com/ctargon/AdvGAN-tf
Chitic, R., Topal, A. O., & Leprévost, F. (2023). ShuffleDetect: Detecting adversarial images against convolutional neural networks. Applied Sciences, 13(6). https://doi.org/10.3390/app13064068
Rybczak, M., & Kozakiewicz, K. (2024). Deep machine learning of MobileNet, efficient, and inception models. Algorithms, 17(3), 96. https://doi.org/10.3390/a17030096
Suharto, E., Suhartono, Widodo, A. P., & Sarwoko, E. A. (2020). The use of MobileNet v1 for identifying various types of freshwater fish. Journal of Physics: Conference Series, 1524. https://doi.org/10.1088/1742-6596/1524/1/012105
Elhassouny, A., & Smarandache, F. (2019). Smart mobile application to recognize tomato leaf diseases using Convolutional Neural Networks. 2019 International Conference of Computer Science and Renewable Energies, 1-4. https://www.researchgate.net/publication/343863345_Smart_mobile_application_to_recognize_tomato_leaf_diseases_using_Convolutional_Neural_Networks
Wibowo, A., Adhi Hartanto, C., & Wisnu Wirawan, P. (2020). Android skin cancer detection and classification based on MobileNet v2 model. International Journal of Advances in Intelligent Informatics, 6(2), 135-148. https://doi.org/10.26555/ijain.v6i2.492
Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S., Anguelov, D., Erhan, D., Vanhoucke, V., & Rabinovich, A. (2015). Going deeper with convolutions. 2015 IEEE Conference on Computer Vision and Pattern Recognition, 1-9. https://doi.org/10.1109/CVPR.2015.7298594
Simonyan, K., & Zisserman, A. (2014) Very deep convolutional networks for large-scale image recognition. arXiv:1409.1556. https://doi.org/10.48550/arXiv.1409.1556
Heusel, M., Ramsauer, H., Unterthiner, T., Nessler, B., & Hochreiter, S. (2017). GANs trained by a two time-scale update rule converge to a local nash equilibrium. Advances in neural information processing systems, 30, 6626-6637. https://doi.org/10.48550/arXiv.1706.08500
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Copyright (c) 2025 Enea Mancellari, Ali Osman Topal, Franck Leprévost