[go: up one dir, main page]
Skip to main content
SpringerLink
Log in

Superpixel Attack

Enhancing Black-Box Adversarial Attack with Image-Driven Division Areas

  • Conference paper
  • First Online:
AI 2023: Advances in Artificial Intelligence (AI 2023)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 14471))

Included in the following conference series:

  • 792 Accesses

Abstract

Deep learning models are used in safety-critical tasks such as automated driving and face recognition. However, small perturbations in the model input can significantly change the predictions. Adversarial attacks are used to identify small perturbations that can lead to misclassifications. More powerful black-box adversarial attacks are required to develop more effective defenses. A promising approach to black-box adversarial attacks is to repeat the process of extracting a specific image area and changing the perturbations added to it. Existing attacks adopt simple rectangles as the areas where perturbations are changed in a single iteration. We propose applying superpixels instead, which achieve a good balance between color variance and compactness. We also propose a new search method, versatile search, and a novel attack method, Superpixel Attack, which applies superpixels and performs versatile search. Superpixel Attack improves attack success rates by an average of 2.10% compared with existing attacks. Most models used in this study are robust against adversarial attacks, and this improvement is significant for black-box adversarial attacks. The code is available at https://github.com/oe1307/SuperpixelAttack.git.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    LAB color spaces in this paper refer to CIELAB (L, a*, b*) color space.

References

  1. Achanta, R., Shaji, A., Smith, K., Lucchi, A., Fua, P., Süsstrunk, S.: Slic superpixels. Technical report (2010)

    Google Scholar 

  2. Al-Dujaili, A., O’Reilly, U.M.: Sign bits are all you need for black-box attacks. In: International Conference on Learning Representations (2020)

    Google Scholar 

  3. Aldahdooh, A., Hamidouche, W., Fezza, S.A., Déforges, O.: Adversarial example detection for DNN models: a review and experimental comparison. Artif. Intell. Rev. 55(6), 4403–4462 (2022)

    Article  Google Scholar 

  4. Andriushchenko, M., Croce, F., Flammarion, N., Hein, M.: Square attack: a query-efficient black-box adversarial attack via random search. In: Vedaldi, A., Bischof, H., Brox, T., Frahm, J.-M. (eds.) ECCV 2020. LNCS, vol. 12368, pp. 484–501. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58592-1_29

    Chapter  Google Scholar 

  5. Benesova, W., Kottman, M.: Fast superpixel segmentation using morphological processing. In: Conference on Machine Vision and Machine Learning, pp. 67–1 (2014)

    Google Scholar 

  6. Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 39–57. IEEE (2017)

    Google Scholar 

  7. Chen, J., Hou, J., Ni, Y., Chau, L.P.: Accurate light field depth estimation with superpixel regularization over partially occluded regions. IEEE Trans. Image Process. 27(10), 4889–4900 (2018)

    Article  MathSciNet  Google Scholar 

  8. Croce, F., et al.: RobustBench: a standardized adversarial robustness benchmark. arXiv preprint arXiv:2010.09670 (2020)

  9. Croce, F., Andriushchenko, M., Singh, N.D., Flammarion, N., Hein, M.: Sparse-RS: a versatile framework for query-efficient sparse black-box adversarial attacks. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 36, pp. 6437–6445 (2022)

    Google Scholar 

  10. Croce, F., Hein, M.: Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In: International Conference on Machine Learning, pp. 2206–2216. PMLR (2020)

    Google Scholar 

  11. Dai, Z., Liu, S., Tang, K., Li, Q.: Saliency attack: towards imperceptible black-box adversarial attack. arXiv preprint arXiv:2206.01898 (2022)

  12. Debenedetti, E., Sehwag, V., Mittal, P.: A light recipe to train robust vision transformers. arXiv preprint arXiv:2209.07399 (2022)

  13. Deng, J., Dong, W., Socher, R., Li, L.J., Li, K., Fei-Fei, L.: ImageNet: a large-scale hierarchical image database. In: 2009 IEEE Conference on Computer Vision and Pattern Recognition, pp. 248–255. IEEE (2009)

    Google Scholar 

  14. Dong, X., et al.: Robust superpixel-guided attentional adversarial attack. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 12895–12904 (2020)

    Google Scholar 

  15. Engstrom, L., Ilyas, A., Salman, H., Santurkar, S., Tsipras, D.: Robustness (python library) (2019). https://github.com/MadryLab/robustness

  16. Kwak, S., Hong, S., Han, B.: Weakly supervised semantic segmentation using superpixel pooling network. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 31 (2017)

    Google Scholar 

  17. Li, S., Huang, G., Xu, X., Yang, Y., Shen, F.: Accelerated sign hunter: a sign-based black-box attack via branch-prune strategy and stabilized hierarchical search. In: Proceedings of the 2022 International Conference on Multimedia Retrieval, pp. 462–470 (2022)

    Google Scholar 

  18. Liu, C., et al.: A comprehensive study on robustness of image classification models: benchmarking and rethinking. arXiv preprint arXiv:2302.14301 (2023)

  19. Metzen, J.H., Genewein, T., Fischer, V., Bischoff, B.: On detecting adversarial perturbations. arXiv preprint arXiv:1702.04267 (2017)

  20. Moon, S., An, G., Song, H.O.: Parsimonious black-box adversarial attacks via efficient combinatorial optimization. In: International Conference on Machine Learning, pp. 4636–4645. PMLR (2019)

    Google Scholar 

  21. Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z.B., Swami, A.: Practical black-box attacks against machine learning. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 506–519 (2017)

    Google Scholar 

  22. Rahmati, A., Moosavi-Dezfooli, S.M., Frossard, P., Dai, H.: GeoDA: a geometric framework for black-box adversarial attacks. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 8446–8455 (2020)

    Google Scholar 

  23. Salman, H., Ilyas, A., Engstrom, L., Kapoor, A., Madry, A.: Do adversarially robust ImageNet models transfer better? In: Advances in Neural Information Processing Systems, vol. 33, pp. 3533–3545 (2020)

    Google Scholar 

  24. Schick, A., Fischer, M., Stiefelhagen, R.: Measuring and evaluating the compactness of superpixels. In: Proceedings of the 21st International Conference on Pattern Recognition (ICPR2012), pp. 930–934. IEEE (2012)

    Google Scholar 

  25. Singh, N.D., Croce, F., Hein, M.: Revisiting adversarial training for ImageNet: architectures, training and generalization across threat models. arXiv preprint arXiv:2303.01870 (2023)

  26. Szegedy, C., et al.: Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013)

  27. Wang, X., et al.: Triangle attack: a query-efficient decision-based adversarial attack. In: Avidan, S., Brostow, G., Cissé, M., Farinella, G.M., Hassner, T. (eds.) ECCV 2022. LNCS, vol. 13665, pp. 156–174. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-20065-6_10

    Chapter  Google Scholar 

  28. Wang, Y., Ma, X., Bailey, J., Yi, J., Zhou, B., Gu, Q.: On the convergence and robustness of adversarial training. arXiv preprint arXiv:2112.08304 (2021)

  29. Wong, E., Rice, L., Kolter, J.Z.: Fast is better than free: revisiting adversarial training. arXiv preprint arXiv:2001.03994 (2020)

  30. Yan, J., Yu, Y., Zhu, X., Lei, Z., Li, S.Z.: Object detection by labeling superpixels. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 5107–5116 (2015)

    Google Scholar 

  31. Zhang, J., et al.: Towards efficient data free black-box adversarial attack. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 15115–15125 (2022)

    Google Scholar 

  32. Zhao, W., Alwidian, S., Mahmoud, Q.H.: Adversarial training methods for deep learning: a systematic review. Algorithms 15(8), 283 (2022)

    Article  Google Scholar 

Download references

Acknowledgements

This research project was supported by the Japan Science and Technology Agency (JST), the Core Research of Evolutionary Science and Technology (CREST), the Center of Innovation Science and Technology based Radical Innovation and Entrepreneurship Program (COI Program), JSPS KAKENHI Grant Number JP16H01707 and JP21H04599, Japan.

Author information

Authors and Affiliations

  1. Graduate School of Mathematics, Kyushu University, Fukuoka, Japan

    Issa Oe, Keiichiro Yamamura, Hiroki Ishikura & Ryo Hamahira

  2. Institute of Mathematics for Industry, Kyushu University, Fukuoka, Japan

    Katsuki Fujisawa

Authors
  1. Issa Oe
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Keiichiro Yamamura
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hiroki Ishikura
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ryo Hamahira
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Katsuki Fujisawa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Issa Oe .

Editor information

Editors and Affiliations

  1. The University of Sydney, Darlington, NSW, Australia

    Tongliang Liu

  2. Monash University, Clayton, VIC, Australia

    Geoff Webb

  3. The University of Newcastle, Callaghan, NSW, Australia

    Lin Yue

  4. CSIRO Data61, Sydney, NSW, Australia

    Dadong Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Oe, I., Yamamura, K., Ishikura, H., Hamahira, R., Fujisawa, K. (2024). Superpixel Attack. In: Liu, T., Webb, G., Yue, L., Wang, D. (eds) AI 2023: Advances in Artificial Intelligence. AI 2023. Lecture Notes in Computer Science(), vol 14471. Springer, Singapore. https://doi.org/10.1007/978-981-99-8388-9_12

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-8388-9_12

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-8387-2

  • Online ISBN: 978-981-99-8388-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation