SSTA: Salient Spatially Transformed Attack

Given a well-trained DNN classifier $\bm{\mathcal{C}}$ and an input $\bm{x}$ with its corresponding label $y$, we have $\bm{\mathcal{C}}(\bm{x})=y$. The AE $\bm{x}_{adv}$ is a neighbor of $\bm{x}$ and satisfies that $\bm{\mathcal{C}}(\bm{x}_{adv})\neq y$ and $\left\|\bm{x}_{adv}-\bm{x}\right\|_{p}\leq\epsilon$, where the $\bm{L}_{p}$-norm is used as the metric function and $\epsilon$ is usually a small noise budget. With this definition, the problem of finding an AE becomes a constrained optimization problem:

$$\bm{x}_{adv}=\underset{\left\|\bm{x}_{adv}-\bm{x}\right\|_{p}\leq\epsilon}{\mathop{argmax}\mathcal{L}}(\bm{\mathcal{C}}(\bm{x}_{adv})\neq y),$$

(1)

where $\mathcal{L}$ stands for a loss function that measures the confidence of the model outputs.

Previous works craft an AE $\bm{x}_{adv}$ by adding $\bm{L}_{p}$-norm constrained noise $\delta$ to the clean image $\bm{x}$ as

$$\bm{x}_{adv}=\bm{x}+\delta,\ s.t.\ \left\|\delta\right\|_{p}\leq\epsilon.$$

(2)

Different from this, in this paper, we combine the salient object extraction and the spatial transform techniques to build the imperceptible AE $\bm{x}_{adv}$. As illustrated in Fig. 1, the proposed salient spatially transformed attack framework can be divided into two stages: the first stage is to obtain a salient region, we call it mask $\bm{M}(\cdot)$; the other one is to calculate the flow field $\bm{f}$. Subsequently, we can formulate the AE $\bm{x}_{adv}$ by applying the calculated flow field $\bm{f}$ to the clean image’s salient area $\bm{M}(\cdot)$.

In this paper, we use the salient detection method TRACER [7], which can efficiently detect salient objects in images, to extract the critical area mask $\bm{M}(\cdot)$. In preliminary experiments, we also tried other area extraction methods like LC [8], FT [9], and Grad-CAM [10, 11], but found TRACER [12] is more suitable because it can efficiently detect salient objects in an image and return their corresponding regions, the results are showing in Fig. 2.

Moreover, TRACER can return several regions $r_{\tau}(\tau=0,...,255)$ with various scales depending on different thresholds when extracting salient areas. These regions will be helpful to the downstream tasks, such as image segmentation and background removal. In our work, we first take the region with a high threshold $\tau$, such as $\tau=250$, as the region mask $\bm{M}(\cdot)$. Then, in generating AEs, if the current attack is unsuccessful after pre-set iterations, the $\bm{M}(\cdot)$ will be updated by decreasing the threshold $\tau$.

After computing the mask region $\bm{M}(\cdot)$, we subsequently utilize the spatial transform method to build AEs in a non-noise additional way. The spatial transform techniques using a flow field matrix $\bm{f}=[2,h,w]$ to transform the original image $x$ to $x_{st}$ [4]. Specifically, assume the input is $x$ and its transformed counterpart $\bm{x}_{st}$, for the $i$-th pixel in $\bm{x}_{st}$ at the pixel location $(u_{st}^{i},v_{st}^{i})$, we need to calculate the flow field matrix $\bm{f}_{i}=(\Delta u^{i},\Delta v^{i})$. So, the $i$-th pixel $\bm{x}^{i}$’s location in the transformed image can be indicated as:

$$(u^{i},v^{i})=(u_{st}^{i}+\Delta u^{i},v_{st}^{i}+\Delta v^{i}).$$

(3)

To ensure the flow field $\bm{f}$ is differentiable, the bi-linear interpolation [6] is used to obtain the 4 neighboring pixels’ value surrounding the location $(u_{st}^{i}+\Delta u^{i},v_{st}^{i}+\Delta v^{i})$ for the transformed image $\bm{x}_{st}$ as:

$$\bm{x}_{st}^{i}=\sum_{q\in\bm{N}(u^{i},v^{i})}\bm{x}^{q}(1-|u^{i}-u^{q}|)(1-|v^{i}-v^{q}|),$$

(4)

where $\bm{N}(u^{i},v^{i})$ is the neighborhood, that is, the four positions (top-left, top-right, bottom-left, bottom-right) tightly surrounding the target pixel $(u^{i},v^{i})$. In adversarial attack settings, the calculated $\bm{x}_{st}$ is the final AE $\bm{x}_{adv}$. Once the $f$ has been computed, we can obtain the $\bm{x}_{adv}$ by combining $\bm{M}(\cdot)$ and flow field $\bm{f}$, which is given by:

$$\bm{x}_{adv}=clip(\bm{M}(\sum_{q\in\bm{N}(u^{i},v^{i})}\bm{x}^{q}(1-|u^{i}-u^{q}|)(1-|v^{i}-v^{q}|))\\ +(\bm{x}-\bm{M(\bm{x}})),0,1),$$

(5)

where $\bm{M}(\bm{x})$ represents the salient region while the $\bm{x}-\bm{M}(\bm{x})$ indicates the area out of the salient region.

In practice, we regard the problem of calculating flow field $\bm{f}$ as an optimization task. In this paper, we use the AdamW to optimize flow $\bm{f}$.

Taking the attack success rate and visual invisibility of the generated AEs into account, we divide the objective function into two parts, where one is the adversarial loss and the other is a constraint for the flow field. Unlike other flow field-based attack methods, which constrain the size of the flow field by the flow loss proposed in [4], in our method, we use a dynamically updated flow field budget $\xi$ (a small number, like $1*10^{-2}$) to regularize the flow field $f$. For adversarial attacks, the goal is making $\bm{\mathcal{C}}(\bm{x}_{adv})\neq y$. We give the objective function as:

$$\mathcal{L}_{adv}(\bm{x},y,\bm{f})=max[\bm{\mathcal{C}}(\bm{x}_{adv})_{y}-\underset{k\neq y}{max}\bm{\mathcal{C}}(\bm{x}_{adv})_{k},k],\\ s.t.\|\bm{f}\|\leq\xi.$$

(6)

Dataset: We verify the performance of our method on the development set of ImageNet-Compatible Dataset, a subset of ImageNet-K, which consists of 1,000 images with a size of 299×299×3. And we resized the image to 224x224x3 to adopt the victim models.

Models: We use the PyTorch pre-trained model as the victim models, including VGG-19 [13], ResNet-50 [14], DenseNet-121 [15], ViT-16 [16] and Swin_B [17].

Baselines: The baselines include the stAdv [4], Chroma-Shift [5] and AdvDrop [18].

Metrics: Unlike the pixel-based attack methods, which always use $L_{p}$-norm to evaluate the AEs’ perceptual similarity to its corresponding benign image. The AEs generated by spatial transformation always use other metrics referring to image quality. To be exact, we use the following perceptual metrics to evaluate the AEs generated by our method, including LPIPS [19], DISTS [20], FID, MSE, UQI [21], SCC [22], PSNR [23], VIPF [24], SSIM, and NIQE to evaluate the difference between the generated AEs and their benign counterparts and the image quality of these AEs.

We investigate the performance of the proposed method in attacking various image classifiers. The results are shown in Table. 1, we derive that SSTA can obtain the SOTA attack performance by only disturbing the minimal local area, i.e., the salient region, while other attacks need to distort the whole image. This demonstrates the superiority of our method.

We use diverse metrics involving image quality and similarity to assess the AEs’ image quality and list the results in Table. 2, which indicated that the proposed method has the lowest LPIPS, DISTS, FID, and MSE (the lower is better) are 0.0038, 0.0091, 16.3876 and 2.1210, respectively, and has the highest UQI, SCC, PSNR, VIPF, SSIM, and NIQE (the higher is better), achieving 0.9998, 0.9890, 49.2397, 0.9487, 0.9987 and 43.9611, respectively, in comparison to the baselines. The results point out that the proposed method is superior to the existing imperceptible attacks.

To visualize the difference between the AEs generated by our method and the baselines, we also draw the adversarial perturbation generated by stAdv, Chroma-Shift, AdvDrop and the proposed method in Fig. 3, the target model is pre-trained ResNet-50. The first row is the AEs and their corresponding noise of stAdv, Chroma-Shift, AdvDrop and our method, respectively. Noted that, for better observation, we magnified the noise by a factor of 30. From Fig. 3, we can clearly observe that these baselines distort the whole image. In contrast, the AEs generated by our method are focused on the salient region and its noise is milder; they are similar to the original clean counterparts and are more imperceptible to human eyes. These results indicate that the AEs generated by the proposed method have better concealment and are not easily exposed.

This experiment is for subjective evaluation, i.e., in most cases, whether AEs generated based on SSTA are indistinguishable from their original samples. We argue that AEs generated by SSTA not only satisfy imperceptibility but are also inconspicuous to the human eye. To validate this claim, we compare AEs generated by SSTA with those generated by baseline methods. In our human perception study, we display the original image and the AEs on the computer screen and give each participant 100 seconds to judge every image. Empirically, 100 seconds is enough to decide and point out any visible distortion for the participants. We used the randomly sampled 50 images from the ImageNet dataset for this experiment. The participants are shown about 5 images, the left is always the clean image and its right side shows adversarial images generated by various methods (Maybe more than one) or the same clean image. Participants will be asked “Are the images on the right the same as the left (the clean one)?” and each participant will provide more than 50 annotations. For each image to be checked, we can zoom it as large as possible to provide convenience for participants to observe.

A total of 20+ participants were involved in assessing whether the specific image was the same as the original clean image. For the sake of fairness, we put the clean images and adversarial images generated by different methods into the dataset to be checked together. These participants provided more than 1,000 annotations. As shown in Fig. 4, the AEs generated by SSTA are generally considered to be the same as the original images. 88.98% of the annotations were considered unmodified, meaning that most participants could not distinguish the AEs generated by SSTA. Conversely, for AEs generated by baseline methods, participants were able to spot distortions more easily, more than 90%, 55% and 30% of the total annotations have been picked out for stAdv, AdvDrop and Chroma-shift, respectively, indicating that the AEs generated by these baseline methods did not affect humans to identify objects in images correctly but very easy to find that they had tampered.