EDGEFOOL: AN ADVERSARIAL IMAGE ENHANCEMENT FILTER
Ali Shahin Shamsabadi, Changjae Oh, Andrea Cavallaro
Centre for Intelligent Sensing, Queen Mary University of London, UK
ABSTRACT
Adversarial examples are intentionally perturbed images that mis-lead classifiers. These images can, however, be easily detected using denoising algorithms, when high-frequency spatial perturbations are used, or can be noticed by humans, when perturbations are large. In this paper, we propose EdgeFool, an adversarial image enhancement filter that learns structure-aware adversarial perturbations. Edge-Fool generates adversarial images with perturbations that enhance image details via training a fully convolutional neural network end-to-end with a multi-task loss function. This loss function accounts for both image detail enhancement and class misleading objectives. We evaluate EdgeFool on three classifiers (ResNet-50, ResNet-18 and AlexNet) using two datasets (ImageNet and Private-Places365) and compare it with six adversarial methods (DeepFool, SparseFool, Carlini-Wagner, SemanticAdv, Non-targeted and Private Fast
Gradi-ent Sign Methods). Code is available athttps://github.com/
smartcameras/EdgeFool.git.
Index Terms— Adversarial images, detail enhancement
1. INTRODUCTION
An adversarial image is generated by perturbing the pixel values of an original image to induce a Deep Neural Network (DNNs) to fail
in its classification task. However, most adversarial images are
de-tectable[1, 2, 3] by defence mechanisms that use denoising
algo-rithms, such as median filtering or bit-depth reduction [4], or, when
large distortions are generated, the adversarial images arenoticeable
to humans [5, 6]. Moreover, most adversarial methods operate un-der a white-box attack assumption and need to access the parameters of a specific classifier. Therefore, the resulting perturbations do not
generallytransferacross classifiers [7].
Adversarial methods can be classified as constrained or uncon-strained, depending on whether they generate bounded
perturba-tions. Constrained adversarial methods [1, 2, 3, 6, 8] iteratively
minimise an`pnorm of the perturbations. Non-targeted Fast
Gra-dient Sign Method (N-FGSM) [1] and Private Fast GraGra-dient Sign Method (P-FGSM) [2] generate an adversarial perturbation whose
`∞norm is constrained. DeepFool [8] and Carlini-Wagner (CW) [3]
constrain the`2difference between the original and adversarial
im-age, while SparseFool [6] generates sparse adversarial perturbations
based on the`1norm. However, these adversarial images are easily
detectable [4] and are not transferable [7].
More recent adversarial methods introduceunconstrained
per-turbations, for example by randomly shifting hue and saturation values [5], by transferring new textures to input images [9] or by colourisation [9, 10]. These adversarial methods are more trans-ferable and less detectable than constrained adversarial methods,
Andrea Cavallaro wishes to thank the Alan Turing Institute
(EP/N510129/1), which is funded by the EPSRC, for its support through the project PRIMULA.
(a) (b) (c)
Fig. 1. Adversarial examples produced withunconstrained
pertur-bations. (a) Original images. Adversarial images generated with (b) SemanticAdv [5] and (c) EdgeFool, the proposed method. Note the unnatural colours produced by SemanticAdv, and the enhanced details and natural colours produced by EdgeFool.
but unconstrained adversarial images may be severely degraded by unnatural textures or colours (see Figure 1(b)).
In this paper, we propose employing an image enhancement fil-ter to generate adversarial images, with the objective of reducing detectability and noticeability, and improving transferability. We achieve these contrasting objectives with a structure-aware ial perturbation that enhances image details. The proposed adversar-ial image enhancement filter, EdgeFool, learns the adversaradversar-ial pertur-bation by training a Fully Convolutional Neural Network (FCNN) end-to-end with a multi-task loss, which includes detail enhance-ment and class misleading objectives. Using image smoothing [11], the network learns to decompose the image, isolating the details from smoother image structures. Then, the multi-task loss function guides the network to enhance details in a way that causes an in-correct classification. The block diagram of the proposed method is shown in Figure 2.
We validate EdgeFool with object and scene classifiers on Im-ageNet [12] and Private-Places365 [13] using deep residual neu-ral networks with 50 layers 50) and 18 layers (ResNet-18) [14], and AlexNet [15]. Experiments show that EdgeFool gen-erates detail-enhanced adversarial images that are more transferable and less detectable than constrained adversarial methods.
2. PROPOSED METHOD 2.1. Preliminaries
Adversarial methods aim to mislead aD-class classifier,C(·), by
modifying the intensity values of an RGB image,I, and generating
Ladv <latexit sha1_base64="D53GgFzEGrxipKhuY8m7czyB58o=">AAACAXicbVDLSsNAFJ34rPUVdSO4CVbBVUmqoMuCGxcuKtgHNCFMJpN26OTBzE2xhLjxV9y4UMStf+HOv3HSZqGtBy4czrmXe+/xEs4kmOa3trS8srq2Xtmobm5t7+zqe/sdGaeC0DaJeSx6HpaUs4i2gQGnvURQHHqcdr3RdeF3x1RIFkf3MEmoE+JBxAJGMCjJ1Q/tEMOQYJ7d5m5mA32ADPvjPHf1mlk3pzAWiVWSGirRcvUv249JGtIICMdS9i0zASfDAhjhNK/aqaQJJiM8oH1FIxxS6WTTD3LjVCm+EcRCVQTGVP09keFQyknoqc7iXjnvFeJ/Xj+F4MrJWJSkQCMyWxSk3IDYKOIwfCYoAT5RBBPB1K0GGWKBCajQqioEa/7lRdJp1K3zeuPuotY8KeOooCN0jM6QhS5RE92gFmojgh7RM3pFb9qT9qK9ax+z1iWtnDlAf6B9/gDGYZem</latexit> Ls <latexit sha1_base64="RE9+8acT0w7Nc/izdoqdKDWycU4=">AAAB/3icbVDLSsNAFJ3UV62vqODGTbAKrkpSBV0W3LhwUcE+oAlhMp22QyeTMHMjlpiFv+LGhSJu/Q13/o2TNgttPTBwOOde7pkTxJwpsO1vo7S0vLK6Vl6vbGxube+Yu3ttFSWS0BaJeCS7AVaUM0FbwIDTbiwpDgNOO8H4Kvc791QqFok7mMTUC/FQsAEjGLTkmwduiGFEME9vMj91gT5AqrLMN6t2zZ7CWiROQaqoQNM3v9x+RJKQCiAcK9Vz7Bi8FEtghNOs4iaKxpiM8ZD2NBU4pMpLp/kz60QrfWsQSf0EWFP190aKQ6UmYaAn87Rq3svF/7xeAoNLL2UiToAKMjs0SLgFkZWXYfWZpAT4RBNMJNNZLTLCEhPQlVV0Cc78lxdJu15zzmr12/Nq47ioo4wO0RE6RQ66QA10jZqohQh6RM/oFb0ZT8aL8W58zEZLRrGzj/7A+PwBOkCWyg==</latexit> Detail Enhancement <latexit sha1_base64="Ru2NgND0pA0FAEwWYz0tHkq/lW8=">AAAB/nicbVDLSsNAFJ34rPEVFVduBovgqiR1ocuCCi4r2Ac0oUymN+3QySTMTIQSCv6KGxeKuPU73Pk3TtostPXAwOGce7h3TphyprTrflsrq2vrG5uVLXt7Z3dv3zk4bKskkxRaNOGJ7IZEAWcCWpppDt1UAolDDp1wfF34nUeQiiXiQU9SCGIyFCxilGgj9Z3jG9CEcez79q0YEUEhBqH7TtWtuTPgZeKVpIpKNPvOlz9IaFZkKSdK9Tw31UFOpGaUw9T2MwUpoWMyhJ6hgsSggnx2/hSfGWWAo0SaJzSeqb8TOYmVmsShmYyJHqlFrxD/83qZjq6CnIk00yDofFGUcawTXHSBB0wC1XxiCKGSmVsxHRFJqDaN2aYEb/HLy6Rdr3kXtfp9vdrAZR0VdIJO0Tny0CVqoDvURC1EUY6e0St6s56sF+vd+piPrlhl5gj9gfX5A1LYlPg=</latexit> RGB2Lab <latexit sha1_base64="jsOW9VvLWAIUffuMtYCd2kjUYso=">AAAB7nicbVA9SwNBEJ3zM8avqKXNYhCswl0stAxaaGERxXxAcoS5zV6yZG/v2N0TwpEfYWOhiK2/x85/4ya5QhMfDDzem2FmXpAIro3rfjsrq2vrG5uFreL2zu7efungsKnjVFHWoLGIVTtAzQSXrGG4EaydKIZRIFgrGF1P/dYTU5rH8tGME+ZHOJA85BSNlVoPN1fVOwx6pbJbcWcgy8TLSRly1Hulr24/pmnEpKECte54bmL8DJXhVLBJsZtqliAd4YB1LJUYMe1ns3Mn5NQqfRLGypY0ZKb+nsgw0nocBbYzQjPUi95U/M/rpCa89DMuk9QwSeeLwlQQE5Pp76TPFaNGjC1Bqri9ldAhKqTGJlS0IXiLLy+TZrXinVeq99VyjeRxFOAYTuAMPLiAGtxCHRpAYQTP8ApvTuK8OO/Ox7x1xclnjuAPnM8fPNWOvA==</latexit> RGB2Lab <latexit sha1_base64="jsOW9VvLWAIUffuMtYCd2kjUYso=">AAAB7nicbVA9SwNBEJ3zM8avqKXNYhCswl0stAxaaGERxXxAcoS5zV6yZG/v2N0TwpEfYWOhiK2/x85/4ya5QhMfDDzem2FmXpAIro3rfjsrq2vrG5uFreL2zu7efungsKnjVFHWoLGIVTtAzQSXrGG4EaydKIZRIFgrGF1P/dYTU5rH8tGME+ZHOJA85BSNlVoPN1fVOwx6pbJbcWcgy8TLSRly1Hulr24/pmnEpKECte54bmL8DJXhVLBJsZtqliAd4YB1LJUYMe1ns3Mn5NQqfRLGypY0ZKb+nsgw0nocBbYzQjPUi95U/M/rpCa89DMuk9QwSeeLwlQQE5Pp76TPFaNGjC1Bqri9ldAhKqTGJlS0IXiLLy+TZrXinVeq99VyjeRxFOAYTuAMPLiAGtxCHRpAYQTP8ApvTuK8OO/Ox7x1xclnjuAPnM8fPNWOvA==</latexit> Lab2RGB <latexit sha1_base64="M32iqd+LmWM0+sbU2SmfJrJA/rc=">AAAB7nicbVA9SwNBEJ3zM8avqKXNYhCswl0stAxaaGERxXxAcoS5zV6yZG/v2N0TwpEfYWOhiK2/x85/4ya5QhMfDDzem2FmXpAIro3rfjsrq2vrG5uFreL2zu7efungsKnjVFHWoLGIVTtAzQSXrGG4EaydKIZRIFgrGF1P/dYTU5rH8tGME+ZHOJA85BSNlVp3GFQfbq56pbJbcWcgy8TLSRly1Hulr24/pmnEpKECte54bmL8DJXhVLBJsZtqliAd4YB1LJUYMe1ns3Mn5NQqfRLGypY0ZKb+nsgw0nocBbYzQjPUi95U/M/rpCa89DMuk9QwSeeLwlQQE5Pp76TPFaNGjC1Bqri9ldAhKqTGJlS0IXiLLy+TZrXinVeq99VyjeRxFOAYTuAMPLiAGtxCHRpAYQTP8ApvTuK8OO/Ox7x1xclnjuAPnM8fPaWOvA==</latexit> Classifier <latexit sha1_base64="7AP1O7loFe5aLoqTHDGe1R/ybas=">AAAB8XicbVC7TsMwFL3hWcqrwMhiUSExVUkZYKzUhbFI9CHaqHLcm9aq40S2g1RF/QsWBhBi5W/Y+BucNgO0HMnS8Tn32veeIBFcG9f9djY2t7Z3dkt75f2Dw6PjyslpR8epYthmsYhVL6AaBZfYNtwI7CUKaRQI7AbTZu53n1BpHssHM0vQj+hY8pAzaqz02BRUa3tFNaxU3Zq7AFknXkGqUKA1rHwNRjFLI5SG5a/0PTcxfkaV4UzgvDxINSaUTekY+5ZKGqH2s8XEc3JplREJY2WPNGSh/u7IaKT1LApsZUTNRK96ufif109NeOtnXCapQcmWH4WpICYm+fpkxBUyI2aWUKa4nZWwCVWUGRtS2Ybgra68Tjr1mnddq9/Xqw1SxFGCc7iAK/DgBhpwBy1oAwMJz/AKb452Xpx352NZuuEUPWfwB87nD5x2kMM=</latexit> Classifier <latexit sha1_base64="7AP1O7loFe5aLoqTHDGe1R/ybas=">AAAB8XicbVC7TsMwFL3hWcqrwMhiUSExVUkZYKzUhbFI9CHaqHLcm9aq40S2g1RF/QsWBhBi5W/Y+BucNgO0HMnS8Tn32veeIBFcG9f9djY2t7Z3dkt75f2Dw6PjyslpR8epYthmsYhVL6AaBZfYNtwI7CUKaRQI7AbTZu53n1BpHssHM0vQj+hY8pAzaqz02BRUa3tFNaxU3Zq7AFknXkGqUKA1rHwNRjFLI5SG5a/0PTcxfkaV4UzgvDxINSaUTekY+5ZKGqH2s8XEc3JplREJY2WPNGSh/u7IaKT1LApsZUTNRK96ufif109NeOtnXCapQcmWH4WpICYm+fpkxBUyI2aWUKa4nZWwCVWUGRtS2Ybgra68Tjr1mnddq9/Xqw1SxFGCc7iAK/DgBhpwBy1oAwMJz/AKb452Xpx352NZuuEUPWfwB87nD5x2kMM=</latexit>
Smoothing<latexit sha1_base64="5j9O0vnx/GDjB+Z9LdR6P7+44fA=">AAAB8XicbVDLSgNBEOz1GeMr6tHLYBA8hd140GPAi8eI5oHJEmYns8mQeSwzs0JY8hdePCji1b/x5t84m+xBEwsaiqpuuruihDNjff/bW1vf2NzaLu2Ud/f2Dw4rR8dto1JNaIsornQ3woZyJmnLMstpN9EUi4jTTjS5yf3OE9WGKflgpwkNBR5JFjOCrZMe74VSdszkqDyoVP2aPwdaJUFBqlCgOah89YeKpIJKSzg2phf4iQ0zrC0jnM7K/dTQBJMJHtGeoxILasJsfvEMnTtliGKlXUmL5urviQwLY6Yicp0C27FZ9nLxP6+X2vg6zJhMUkslWSyKU46sQvn7aMg0JZZPHcFEM3crImOsMbEupDyEYPnlVdKu14LLWv2uXm2gIo4SnMIZXEAAV9CAW2hCCwhIeIZXePOM9+K9ex+L1jWvmDmBP/A+fwA34pCA</latexit>
FCNN <latexit sha1_base64="Prg58wm1Fu4HNzmCz3J0rwg0/Uc=">AAAB63icbVBNSwMxEJ2tX7V+VT16CRbBU9mth3osFMRTqWA/oF1KNs22oUl2SbJCWfoXvHhQxKt/yJv/xmy7B219MPB4b4aZeUHMmTau++0UtrZ3dveK+6WDw6Pjk/LpWVdHiSK0QyIeqX6ANeVM0o5hhtN+rCgWAae9YNbM/N4TVZpF8tHMY+oLPJEsZASbTLprtlqjcsWtukugTeLlpAI52qPy13AckURQaQjHWg88NzZ+ipVhhNNFaZhoGmMywxM6sFRiQbWfLm9doCurjFEYKVvSoKX6eyLFQuu5CGynwGaq171M/M8bJCa89VMm48RQSVaLwoQjE6HscTRmihLD55Zgopi9FZEpVpgYG0/JhuCtv7xJurWqd1OtPdQqDZTHUYQLuIRr8KAODbiHNnSAwBSe4RXeHOG8OO/Ox6q14OQz5/AHzucPU1eNpw==</latexit> y <latexit sha1_base64="geWC3U0gx2EHNYzWQR7Dt2GG3+Y=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LFbBU0mqoMeCF48t2FpoQ9lsJ+3azSbsboQS+gu8eFDEqz/Jm//GbZuDtj4YeLw3w8y8IBFcG9f9dgpr6xubW8Xt0s7u3v5B+fCoreNUMWyxWMSqE1CNgktsGW4EdhKFNAoEPgTj25n/8IRK81jem0mCfkSHkoecUWOl5qRfrrhVdw6ySrycVCBHo1/+6g1ilkYoDRNU667nJsbPqDKcCZyWeqnGhLIxHWLXUkkj1H42P3RKzq0yIGGsbElD5urviYxGWk+iwHZG1Iz0sjcT//O6qQlv/IzLJDUo2WJRmApiYjL7mgy4QmbExBLKFLe3EjaiijJjsynZELzll1dJu1b1Lqu15lWlfpbHUYQTOIUL8OAa6nAHDWgBA4RneIU359F5cd6dj0VrwclnjuEPnM8f4AWM4w==</latexit> y˙ <latexit sha1_base64="Yg7HaMBpqj3zl12lvjAqSrlXU4c=">AAAB7XicbVDLSgMxFL1TX7W+qi7dBKvgqsxUQZcFNy4r2Ae0Q8mkmTY2kxmSO8JQ+g9uXCji1v9x59+YtrPQ1gOBwzn3kHtPkEhh0HW/ncLa+sbmVnG7tLO7t39QPjxqmTjVjDdZLGPdCajhUijeRIGSdxLNaRRI3g7GtzO//cS1EbF6wCzhfkSHSoSCUbRSqzeIkWT9csWtunOQVeLlpAI5Gv3ylw2yNOIKmaTGdD03QX9CNQom+bTUSw1PKBvTIe9aqmjEjT+Zbzsl51YZkDDW9ikkc/V3YkIjY7IosJMRxZFZ9mbif143xfDGnwiVpMgVW3wUppJgTGank4HQnKHMLKFMC7srYSOqKUNbUMmW4C2fvEpatap3Wa3dX1XqZ3kdRTiBU7gAD66hDnfQgCYweIRneIU3J3ZenHfnYzFacPLMMfyB8/kDSgaO2A==</latexit> Ig <latexit sha1_base64="nwNez8Bop7TFJ8z+qNjEg9w6z2g=">AAAB83icbVDLSsNAFL3xWeur6tLNYBFclaQKuiy40V0F+4CmlMn0ph06mYSZiVBCf8ONC0Xc+jPu/BsnbRbaemDgcM693DMnSATXxnW/nbX1jc2t7dJOeXdv/+CwcnTc1nGqGLZYLGLVDahGwSW2DDcCu4lCGgUCO8HkNvc7T6g0j+WjmSbYj+hI8pAzaqzk+xE14yDM7meD0aBSdWvuHGSVeAWpQoHmoPLlD2OWRigNE1Trnucmpp9RZTgTOCv7qcaEsgkdYc9SSSPU/WyeeUbOrTIkYazsk4bM1d8bGY20nkaBncwz6mUvF//zeqkJb/oZl0lqULLFoTAVxMQkL4AMuUJmxNQSyhS3WQkbU0WZsTWVbQne8pdXSbte8y5r9YeraoMUdZTgFM7gAjy4hgbcQRNawCCBZ3iFNyd1Xpx352MxuuYUOyfwB87nDyuDkak=</latexit> Ia <latexit sha1_base64="/Nw9pP+HYPyIxYqibD6ulUUg+Fg=">AAAB83icbVDLSgMxFL1TX7W+qi7dBIvgqsxUQZcFN7qrYB/QGUsmzbShmUxIMkIZ+htuXCji1p9x59+YaWehrQcCh3Pu5Z6cUHKmjet+O6W19Y3NrfJ2ZWd3b/+genjU0UmqCG2ThCeqF2JNORO0bZjhtCcVxXHIaTec3OR+94kqzRLxYKaSBjEeCRYxgo2VfD/GZhxG2d3sEQ+qNbfuzoFWiVeQGhRoDapf/jAhaUyFIRxr3fdcaYIMK8MIp7OKn2oqMZngEe1bKnBMdZDNM8/QmVWGKEqUfcKgufp7I8Ox1tM4tJN5Rr3s5eJ/Xj810XWQMSFTQwVZHIpSjkyC8gLQkClKDJ9agoliNisiY6wwMbamii3BW/7yKuk06t5FvXF/WWuioo4ynMApnIMHV9CEW2hBGwhIeIZXeHNS58V5dz4WoyWn2DmGP3A+fwAg5pGi</latexit> Ib <latexit sha1_base64="uOujVHymAtkIg6Ybt6cx8xHu020=">AAAB83icbVDLSgMxFL1TX7W+qi7dBIvgqsxUQZcFN7qrYB/QGUsmzbShmUxIMkIZ+htuXCji1p9x59+YaWehrQcCh3Pu5Z6cUHKmjet+O6W19Y3NrfJ2ZWd3b/+genjU0UmqCG2ThCeqF2JNORO0bZjhtCcVxXHIaTec3OR+94kqzRLxYKaSBjEeCRYxgo2VfD/GZhxG2d3sMRxUa27dnQOtEq8gNSjQGlS//GFC0pgKQzjWuu+50gQZVoYRTmcVP9VUYjLBI9q3VOCY6iCbZ56hM6sMUZQo+4RBc/X3RoZjradxaCfzjHrZy8X/vH5qousgY0KmhgqyOBSlHJkE5QWgIVOUGD61BBPFbFZExlhhYmxNFVuCt/zlVdJp1L2LeuP+stZERR1lOIFTOAcPrqAJt9CCNhCQ8Ayv8Oakzovz7nwsRktOsXMMf+B8/gAiapGj</latexit> IL <latexit sha1_base64="BaPG3nZCIWZb0aNy6h1f+dq1vEc=">AAAB83icbVDLSgMxFL3js9ZX1aWbYBFclZkq6LLgRsFFBfuAzlgyaaYNzSRDkhHK0N9w40IRt/6MO//GTDsLbT0QOJxzL/fkhAln2rjut7Oyura+sVnaKm/v7O7tVw4O21qmitAWkVyqbog15UzQlmGG026iKI5DTjvh+Dr3O09UaSbFg5kkNIjxULCIEWys5PsxNqMwym6nj3f9StWtuTOgZeIVpAoFmv3Klz+QJI2pMIRjrXuem5ggw8owwum07KeaJpiM8ZD2LBU4pjrIZpmn6NQqAxRJZZ8waKb+3shwrPUkDu1knlEvern4n9dLTXQVZEwkqaGCzA9FKUdGorwANGCKEsMnlmCimM2KyAgrTIytqWxL8Ba/vEza9Zp3XqvfX1QbqKijBMdwAmfgwSU04Aaa0AICCTzDK7w5qfPivDsf89EVp9g5gj9wPn8AARKRjQ==</latexit> ˙ IL <latexit sha1_base64="/6hLdbCdo7i/wqfH6TpVeuyw5G8=">AAAB/HicbVDLSgMxFM34rPU12qWbYBFclZkq6LLgRsFFBfuAdiyZNNOGZjJDckcYhvorblwo4tYPceffmGlnoa0HAodz7k1Ojh8LrsFxvq2V1bX1jc3SVnl7Z3dv3z44bOsoUZS1aCQi1fWJZoJL1gIOgnVjxUjoC9bxJ1e533lkSvNI3kMaMy8kI8kDTgkYaWBX+sMIcNYPCYz9ILuZTh9uB3bVqTkz4GXiFqSKCjQH9pe5hSYhk0AF0brnOjF4GVHAqWDTcj/RLCZ0QkasZ6gkIdNeNgs/xSdGGeIgUuZIwDP190ZGQq3T0DeTeUi96OXif14vgeDSy7iME2CSzh8KEoEhwnkTeMgVoyBSQwhV3GTFdEwUoWD6KpsS3MUvL5N2veae1ep359UGLuoooSN0jE6Riy5QA12jJmohilL0jF7Rm/VkvVjv1sd8dMUqdiroD6zPH8falL8=</latexit> ˙ I <latexit sha1_base64="vSwRN/OW6012EkAVtcdAPV7NMaE=">AAAB+nicbVC7TsMwFL0pr1JeKYwsFhUSU5UUJBgrscBWJPqQ2qhyXKe16jiR7YCqkE9hYQAhVr6Ejb/BaTNAy5EsHZ1zr318/JgzpR3n2yqtrW9sbpW3Kzu7e/sHdvWwo6JEEtomEY9kz8eKciZoWzPNaS+WFIc+p11/ep373QcqFYvEvZ7F1AvxWLCAEayNNLSrg1GkUToIsZ74QXqbZUO75tSdOdAqcQtSgwKtof1l7iBJSIUmHCvVd51YeymWmhFOs8ogUTTGZIrHtG+owCFVXjqPnqFTo4xQEElzhEZz9fdGikOlZqFvJvOIatnLxf+8fqKDKy9lIk40FWTxUJBwpCOU94BGTFKi+cwQTCQzWRGZYImJNm1VTAnu8pdXSadRd8/rjbuLWhMVdZThGE7gDFy4hCbcQAvaQOARnuEV3qwn68V6tz4WoyWr2DmCP7A+fwBt6ZQB</latexit> I <latexit sha1_base64="iN2zBKFNVR4yzstxFab1ETdTSto=">AAAB8XicbVDLSgMxFL1TX7W+qi7dBIvgqsxUQZcFN7qrYB/YDiWTZtrQTGZI7ghl6F+4caGIW//GnX9j2s5CWw8EDufcS849QSKFQdf9dgpr6xubW8Xt0s7u3v5B+fCoZeJUM95ksYx1J6CGS6F4EwVK3kk0p1EgeTsY38z89hPXRsTqAScJ9yM6VCIUjKKVHnsRxVEQZnfTfrniVt05yCrxclKBHI1++as3iFkacYVMUmO6npugn1GNgkk+LfVSwxPKxnTIu5YqGnHjZ/PEU3JmlQEJY22fQjJXf29kNDJmEgV2cpbQLHsz8T+vm2J47WdCJSlyxRYfhakkGJPZ+WQgNGcoJ5ZQpoXNStiIasrQllSyJXjLJ6+SVq3qXVRr95eVOsnrKMIJnMI5eHAFdbiFBjSBgYJneIU3xzgvzrvzsRgtOPnOMfyB8/kDrOKQzw==</latexit> Is <latexit sha1_base64="AQtyw+uPjU+d6erT5o7+GDfYjiI=">AAAB83icbVDLSsNAFL3xWeur6tLNYBFclaQKuiy40V0F+4CmlMn0ph06mYSZiVBCf8ONC0Xc+jPu/BsnbRbaemDgcM693DMnSATXxnW/nbX1jc2t7dJOeXdv/+CwcnTc1nGqGLZYLGLVDahGwSW2DDcCu4lCGgUCO8HkNvc7T6g0j+WjmSbYj+hI8pAzaqzk+xE14yDM7mcDPahU3Zo7B1klXkGqUKA5qHz5w5ilEUrDBNW657mJ6WdUGc4Ezsp+qjGhbEJH2LNU0gh1P5tnnpFzqwxJGCv7pCFz9fdGRiOtp1FgJ/OMetnLxf+8XmrCm37GZZIalGxxKEwFMTHJCyBDrpAZMbWEMsVtVsLGVFFmbE1lW4K3/OVV0q7XvMta/eGq2iBFHSU4hTO4AA+uoQF30IQWMEjgGV7hzUmdF+fd+ViMrjnFzgn8gfP5Az2zkbU=</latexit> IL s <latexit sha1_base64="FDuKaLtQcQua0pPofILlO0Ri4xc=">AAAB9XicbVDLSgMxFL3js9ZX1aWbYBFclZkq6LLgRsFFBfuAdloyaaYNzSRDklHK0P9w40IRt/6LO//GTDsLbT0QOJxzL/fkBDFn2rjut7Oyura+sVnYKm7v7O7tlw4Om1omitAGkVyqdoA15UzQhmGG03asKI4CTlvB+DrzW49UaSbFg5nE1I/wULCQEWys1OtG2IyCML2d9nXvrl8quxV3BrRMvJyUIUe9X/rqDiRJIioM4VjrjufGxk+xMoxwOi12E01jTMZ4SDuWChxR7aez1FN0apUBCqWyTxg0U39vpDjSehIFdjJLqRe9TPzP6yQmvPJTJuLEUEHmh8KEIyNRVgEaMEWJ4RNLMFHMZkVkhBUmxhZVtCV4i19eJs1qxTuvVO8vyjWU11GAYziBM/DgEmpwA3VoAAEFz/AKb86T8+K8Ox/z0RUn3zmCP3A+fwCTgJJz</latexit>
Fig. 2. Block diagram of EdgeFool, which generates a
detail-enhanced adversarial image,I, by training a Fully Convolutional˙
Neural Network (FCNN) using a smoothing loss,Ls, and an
ad-versarial loss,Ladv( forward pass; backward pass). The FCNN
learns a smooth image,Is, based on the desired output,Ig, of the
image smoothing filter and the objective of predicting a class ofI,˙ y,˙
that is different fromy, the class of the input imageI.
differs from that of the original image: ˙
y=C(˙I)6=y=C(I), (1)
whereyis the predicted class of the original image.
For each of theDclasses, the classifierC(·)predicts logit scores
z = (z1, ..., zi, ..., zD)forI, wherezi ∈ (−∞,+∞)is the logit
score for classi. The logit scores are then normalised and the
soft-max is used to predict the probabilitypi∈[0,1]of each classi:
pi= e
zi
ΣD
d=1ezd
, (2)
wherep= (p1, ..., pi, ..., pD)represents the probability of all the
classes.
The predicted class,y, is decided by a winner-take-all approach:
y= arg max
d=1,...,D
pd. (3)
2.2. Adversarial image enhancement
We propose an adversarial image enhancement filter, EdgeFool, whose perturbations enhance details, preserve structure and
main-tain the original colours. EdgeFool decomposesIinto its structural
component,Is(Figure 3(a)), containing smooth regions, and a
resid-ual component,Id(Figure 3(b)), corresponding to image details:
I=Is+Id. (4)
We learn this image decomposition by training a FCNN [16]
with a multi-task loss,L, which includes an image smoothing loss,
Ls, and the adversarial loss,Ladv:
L=αLs(Is,Ig) +Ladv(˙I,I), (5)
where the hyper-parameterαcontrols the relative importance ofLs
andLadv. Thesmoothing loss,Ls, measures the difference between
the learned structure and an image representation that excludes
(a) (b) (c) (d)
Fig. 3. Intermediate results of the EdgeFool adversarial image
gen-eration process. (a) Image structure,Is. (b) Image details,ILd; (c)
Enhanced details,I˙L−ILs. (d) Adversarial image,I. Note that (b)˙
and (c) are scaled for visualisation.
high spatial frequency components,Ig, output by an`0
structure-preserving smoothing filter [11]:
Ls(Is,Ig) =kIs−Igk
2
. (6)
We then avoid changing the colours of the input image and
en-hance the image details of theLimage channel only, after conversion
to theLabcolour space. The detail-enhanced adversarial image,I˙
(Figure 3(d)), is finally generated by combining the channel with
en-hanced details,I˙L, with theaandbcolour channels of the original
image, and then transforming the resulting image back to the RGB space: ˙I= ˙ IL=fILs−v1 100 , v2 ·100 +v1+fILd 100, v3 ·100, ˙ Ia=Ia, ˙ Ib=Ib, (7)
wheref(a, b) = 1 +e−ab−1
−0.5[17],v1 is a constant value
that adjusts the midpoint of the sigmoid curve,v2andv3control the
slope of the sigmoid curves inILs andILd, respectively. The input
to the sigmoid function is normalised by 100, the range of theL
channel.
Theadversarial loss,Ladv, quantifies the difference between the
score of the adversarial imageI˙belonging to the same class asI,zy,˙
and the maximum score among other classes [3]:
Ladv(˙I,I) = ˙zy−max{zi˙ :i= 1, ..., D;i6=y}, (8)
wherezi˙ ∈z˙is the logit score ofI˙for classi.
We iteratively train the whole pipeline end-to-end by
minimis-ingLin Eq. 5 using the Adam optimiser [18], until the generated
˙
Imisleads the target classifier andLs < τ. We empirically set the
thresholdτ = 5e−4to makeIsclose toIg, enabling the separation
of the details for enhancement.
Figure 4 shows an example of a perturbation generated by Edge-Fool and compares it with the perturbations generated by state-of-the-art adversarial methods applied to the same image.
3. VALIDATION
We compare the proposed method, EdgeFool, with six state-of-the-art adversarial methods: N-FGSM [1], P-FGSM [2], DeepFool [8],
SparseFool [6], CW [3] and SemanticAdv [5]. We apply these
adversarial methods to three state-of-the-art classifiers: ResNet with 50 layers (ResNet-50) and 18 layers (ResNet-18) [14], and AlexNet [15] on Private-Places365 [13, 19] and ImageNet [12] as
scene and object datasets. The Private-Places365 validation set
includes 3K images of 60 privacy-sensitive scene classes. The Im-ageNet validation set includes 50 images of different size for 1K
Original EdgeFool SemanticAdv
P-FGSM DeepFool SparseFool CW
Fig. 4. Comparison of adversarial perturbations generated by dif-ferent methods, namely EdgeFool, SemanticAdv [5], P-FGSM [2], DeepFool [8], SparseFool [6] and CW [3]. Note that the constrained perturbations (second row) are scaled for visualisation.
classes. In order to perform the evaluation on all 1K classes of Im-ageNet and reduce the computational cost, we consider 3K images by randomly selecting 3 images per class.
We used the PyTorch implementations provided by the authors
for P-FGSM1, DeepFool2and SparseFool3and we implemented
N-FGSM. We also implemented SemanticAdv in PyTorch based on
their Keras version4, while we used Foolbox5 for CW. We
instan-tiate FCNN from the architecture implemented in [16]. The input
size is224×224×3. The FCNN architecture consists of 7
convo-lution layers with 24 intermediate feature maps and kernels of size
3×3. The last convolution layer applies a1×1convolution that
generatesIs. The dilation factors of each convolution layer are set
to 1, 2, 4, 8, 16, 32, 1, and 1, respectively. Leaky Rectified Linear Unit (L-ReLU) is applied after padding and normalising each inter-mediate convolutional layer, except the last convolution layer. For
the detail enhancement, we follow the parameters in [17],v1 = 56,
v2 = 1, andv3 = 15, which magnify the details by providing a
steeper slope to the sigmoid curve forILd. Also, we chooseα= 10
for the loss function.
As performance measures we consider the misleading rate,
transferability and detectability. Themisleading rate is the ratio
between the number of adversarial images that successfully mislead
a classifier and the total number of images. Transferabilityis the
misleading rate of adversarial images on a classifier that is different from the one that was used to generate the perturbations. Finally,
detectabilityis the ratio between the number of detected
adversar-ial images and the total number of images. To detect an image as adversarial we use the so-called feature squeezing framework [4], which consists of applying median filtering and bit-depth reduction.
An image is considered adversarial if the`1difference between the
D-dimentional class predictions of the image,p, and its˙ squeezed
version exceed the threshold, which is defined based on the`1
dif-ference of the original images and their corresponding squeezed
images by accepting a5%false positive rate.
Figure 5 shows the misleading rate and transferability of N-FGSM, P-N-FGSM, DeepFool, SparseFool, CW, SemanticAdv, and EdgeFool against ResNet-50, ResNet-18, and Alexnet. The top
cir-1https://github.com/smartcameras/P-FGSM 2https://github.com/LTS4/DeepFool 3https://github.com/LTS4/SparseFool 4https://github.com/HosseinHosseini/Semantic-Adversarial-Examples 5https://foolbox.readthedocs.io/en/stable/ Private-Places365 NF PF DF SF CW SA EF [1] [2] [8] [6] [3] [5] 0.0 0.2 0.4 0.6 0.8 1.0 Misleading rate ImageNet NF PF DF SF CW SA EF [1] [2] [8] [6] [3] [5] 0.0 0.2 0.4 0.6 0.8 1.0 NF PF DF SF CW SA EF 0.0 0.2 0.4 0.6 0.8 1.0 Misleading rate NF PF DF SF CW SA EF 0.0 0.2 0.4 0.6 0.8 1.0 NF PF DF SF CW SA EF 0.0 0.2 0.4 0.6 0.8 1.0 Misleading rate NF PF DF SF CW SA EF 0.0 0.2 0.4 0.6 0.8 1.0
Fig. 5. Misleading rate and transferability of N-FGSM (NF), P-FGSM (PF), DeepFool (DF), SparseFool (SF), CW, SemanticAdv (SA) and EdgeFool (EF) for ResNet-50 ( ), ResNet-18 ( ) and AlexNet ( ) on Private-Places365 and ImageNet. EdgeFool is more transferable than other adversarial methods, except SemanticAdv that however severely distorts the colours (see Figure 6).
cle and bottom circles indicate the misleading rate against the clas-sifier that adversarial images are generated for and transferability to other classifiers, respectively. While most adversarial methods suc-cessfully mislead a particular classifier, EdgeFool and SemanticAdv have higher transferability to other classifiers. For example, CW
generates adversarial images that mislead ResNet-18 above99%,
while only2%and4%are transferable to AlexNet and ResNet-50.
EdgeFool adversarial images generated for ResNet-50 have above
99%success rate on ResNet-50 and the SemanticAdv misleading
rate is93%; however, EdgeFool and SemanticAdv are52%and71%
transferable to AlexNet. The higher transferability of SemanticAdv is due to the large colour distortions of the generated adversarial im-ages.
Table 1 reports the detectability rate of adversarial images for ResNet-50, ResNet-18 and AlexNet on ImageNet and
Private-Places365. Median filtering and bit-depth reduction help detect
the small but high spatial-frequency perturbations of constrained adversarial methods (especially P-FGSM and CW), while Seman-ticAdv generates the most undetectable adversarial images to me-dian filtering, as it perturbs hue and saturation of all pixels by the same randomly-generated amount. EdgeFool is less detectable than constrained adversarial methods, but more detectable than Seman-ticAdv, as some of the enhanced (adversarial) details are smoothed out by the median filtering. Although EdgeFool and SemanticAdv are comparable in terms of the misleading rate and transferability, SemanticAdv perturbs each pixel more than EdgeFool and severely distorts the adversarial images as the colour changes are random (see Figure 6 and Figure 7). SparseFool perturbs only a few pixels with large and prominent changes, whereas the adversarial images of EdgeFool contain adversarial perturbations, which enhance details.
Table 1. Detectability rate(↓)of N-FGSM, P-FGSM, DeepFool, SparseFool, CW, SemanticAdv, and EdgeFool on Private (P)-Places365 and ImageNet for ResNet-50 (R-50), ResNet-18 (R-18) and AlexNet (A) classifiers. For the Quantization (Q), we reduce the number of bits
from 8 to 4-bit (4b) to 7-bit (7b). Smoothing (S) is a median filter with2×2(2m) and3×3(3m) on the adversarial images. Although
SemanticAdv is less detectable than EdgeFool, its adversarial images suffer from unnatural colour changes (see Figure 6 and Figure 7).
N-FGSM [1] P-FGSM [2] DeepFool [8] SparseFool [6] CW [3] SemanticAdv [5] EdgeFool
R-50 R-18 A R-50 R-18 A R-50 R-18 A R-50 R-18 A R-50 R-18 A R-50 R-18 A R-50 R-18 A P-Places365 Q 4b .08 .07 .06 .05 .02 .01 .26 .23 .14 .06 .05 .06 .31 .24 .14 .06 .06 .06 .01 .00 .00 5b .05 .06 .06 .01 .01 .01 .27 .23 .13 .07 .07 .06 .33 .28 .14 .09 .09 .07 .01 .00 .00 6b .04 .04 .06 .01 .01 .01 .23 .18 .15 .07 .06 .06 .28 .23 .13 .11 .07 .07 .01 .00 .00 7b .06 .05 .08 .01 .01 .01 .17 .15 .15 .08 .06 .07 .19 .15 .11 .12 .09 .07 .02 .02 .03 S 2m .39 .36 .43 .86 .82 .93 .49 .49 .40 .35 .34 .22 .48 .45 .36 .14 .11 .08 .28 .27 .21 3m .39 .41 .24 .96 .94 .85 .35 .41 .19 .17 .22 .10 .33 .38 .15 .12 .13 .05 .19 .25 .14 ImageNet Q 4b .24 .18 .11 .45 .24 .02 .48 .37 .22 .13 .08 .07 .99 .96 .68 .11 .08 .08 .04 .01 .01 5b .18 .16 .09 .01 .01 .01 .32 .25 .20 .14 .11 .08 .98 .97 .71 .12 .11 .09 .02 .01 .01 6b .12 .11 .07 .01 .01 .01 .20 .15 .19 .14 .09 .09 .97 .94 .67 .14 .11 .09 .03 .01 .01 7b .10 .09 .09 .01 .01 .01 .11 .09 .17 .12 .11 .10 .88 .85 .56 .14 .12 .10 .03 .03 .06 S 2m .40 .35 .29 .95 .91 .93 .62 .57 .48 .42 .38 .24 .99 .98 .85 .14 .09 .07 .32 .27 .21 3m .31 .29 .17 .98 .97 .93 .55 .53 .24 .09 .10 .11 .92 .88 .51 .09 .07 .05 .13 .13 .12
Orginal N-FGSM [1] P-FGSM [2] DeepFool [8] SparseFool [6] CW [3] SemanticAdv [5] EdgeFool
Fig. 6. Adversarial images generated by EdgeFool and other state-of-the-art adversarial methods for ResNet-50 in ImageNet and Private-Places365. N-FGSM, P-FGSM, DeepFool and CW adversarial images are similar to the original images to human eyes, while they are detectable by defence frameworks and not transferable (see Table 1 and Figure 5). EdgeFool takes advantage of image processing filtering in order to generate structure-aware adversarial perturbations that enhance the details of the image.
(a) (b) (c)
Fig. 7. Examples of adversarial images generated by
Semanti-cAdv [5] against (a) AlexNet, (b) ResNet18 and (c) ResNet50 for the original image in Figure 3(a).
4. CONCLUSION
We presented EdgeFool, an adversarial image enhancement filter that trains a multi-task fully convolutional neural network to gen-erate adversarial images whose details are enhanced. We compared EdgeFool with six state-of-the-art adversarial methods on ResNet-50, ResNet-18 and AlexNet classifiers using ImageNet and Private-Places365 datasets and showed that EdgeFool satisfies misleading, transferability and undetectability objectives. As future work, we will validate EdgeFool on other classifiers and with other datasets, as well as perform a formal subjective evaluation of the adversarial image quality.
5. REFERENCES
[1] A. Kurakin, I. Goodfellow, and S. Bengio, “Adversarial
ex-amples in the physical world,” inProceedings of the
Interna-tional Conference on Learning Representations (ICLR) work-shop track, Toulon, France, April 2017.
[2] C. Y. Li, A. S. Shamsabadi, R. Sanchez-Matilla, R. Mazzon,
and A. Cavallaro, “Scene privacy protection,” inProceedings
of the IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), Brighton, UK, May 2019. [3] N. Carlini and D. Wagner, “Towards evaluating the robustness
of neural networks,” inProceedings of the symposium on
Secu-rity and Privacy (S&P), San Jose, California, USA, May 2017. [4] W. Xu, D. Evans, and Y. Qi, “Feature squeezing: Detecting
adversarial examples in deep neural networks,” inProceedings
of the Network and Distributed Systems Security symposium (NDSS), San Diego, California, USA, February 2018. [5] H. Hosseini and R. Poovendran, “Semantic adversarial
exam-ples,” inProceedings of the IEEE Conference on Computer
Vision and Pattern Recognition (CVPR) workshop track, Salt Lake City, Utah, USA, June 2018.
[6] A. Modas, S. Moosavi-Dezfooli, and P. Frossard, “Sparsefool:
a few pixels make a big difference,” inProceedings of the
IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Long Beach, California, USA, June 2019.
[7] C. Xie, Z. Zhang, J. Wang, Y. Zhou, Z. Ren, and A. Yuille, “Improving transferability of adversarial examples with input
diversity,” inProceedings of the IEEE Conference on
Com-puter Vision and Pattern Recognition (CVPR), Long Beach, California, USA, June 2019.
[8] S. Moosavi-Dezfooli, A. Fawzi, and P. Frossard, “Deepfool: A simple and accurate method to fool deep neural networks,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Las Vegas, Nevada, USA, June 2016.
[9] A. Bhattad, M. J. Chong, K. Liang, B. Li, and D. A Forsyth, “Big but imperceptible adversarial perturbations via semantic
manipulation,”arXiv preprint arXiv:1904.06347, 2019.
[10] Z. Zhu, Y. Lu, and C. Chiang, “Generating adversarial
ex-amples by makeup attacks on face recognition,” in
Proceed-ings of the IEEE International Conference on Image Process-ing (ICIP), Taipei, Taiwan, September 2019.
[11] L. Xu, C. Lu, Y. Xu, and J. Jia, “Image smoothing via l0
gra-dient minimization,” ACM Transactions on Graphics (TOG),
vol. 30, no. 6, pp. 174:1–174:12, 2011.
[12] J. Deng, W. Dong, R. Socher, L. Li, K. Li, and L. Fei-Fei,
“Im-agenet: A large-scale hierarchical image database,” in
Pro-ceedings of the IEEE Conference on Computer Vision and Pat-tern Recognition (CVPR), Miami Beach, Florida, USA, June 2009.
[13] B. Zhou, A. Lapedriza, A. Khosla, A. Oliva, and A. Torralba, “Places: A 10 million image database for scene recognition,” IEEE Transactions on Pattern Analysis and Machine Intelli-gence (PAMI), vol. 40, no. 6, pp. 1452–1464, June 2018. [14] K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning
for image recognition,” inProceedings of the IEEE Conference
on Computer Vision and Pattern Recognition (CVPR), Las Ve-gas, Nevada, USA, June 2016.
[15] A. Krizhevsky, I. Sutskever, and G. E. Hinton, “Imagenet
clas-sification with deep convolutional neural networks,” in
Pro-ceedings of the Advances in Neural Information Processing Systems (NIPS), Lake Tahoe, Nevada, USA, December 2012. [16] H. Wu, S. Zheng, J. Zhang, and K. Huang, “Fast end-to-end
trainable guided filter,” inProceedings of the IEEE
Confer-ence on Computer Vision and Pattern Recognition (CVPR), Salt Lake City, Utah, USA, June 2018.
[17] Q. Fan, J. Yang, D. Wipf, B. Chen, and X. Tong, “Image
smoothing via unsupervised learning,” ACM Transactions on
Graphics (TOG), vol. 37, no. 6, pp. 259:1–259:14, 2018. [18] D. P. Kingma and J. Ba, “Adam: A method for stochastic
op-timization,” inProceedings of the International Conference
on Learning Representations (ICLR), San Diego, California, USA, December 2015.
[19] “Pixel privacy task, mediaeval 2018,” http://www.
multimediaeval.org/mediaeval2018/, [Last
![Fig. 4. Comparison of adversarial perturbations generated by dif- dif-ferent methods, namely EdgeFool, SemanticAdv [5], P-FGSM [2], DeepFool [8], SparseFool [6] and CW [3]](https://thumb-us.123doks.com/thumbv2/123dok_us/9833516.2475964/3.918.468.834.106.487/comparison-adversarial-perturbations-generated-edgefool-semanticadv-deepfool-sparsefool.webp)
