Imperceptible Adversarial Attack via Invertible Neural Networks
DOI:
https://doi.org/10.1609/aaai.v37i1.25115Keywords:
CV: Adversarial Attacks & RobustnessAbstract
Adding perturbations via utilizing auxiliary gradient information or discarding existing details of the benign images are two common approaches for generating adversarial examples. Though visual imperceptibility is the desired property of adversarial examples, conventional adversarial attacks still generate traceable adversarial perturbations. In this paper, we introduce a novel Adversarial Attack via Invertible Neural Networks (AdvINN) method to produce robust and imperceptible adversarial examples. Specifically, AdvINN fully takes advantage of the information preservation property of Invertible Neural Networks and thereby generates adversarial examples by simultaneously adding class-specific semantic information of the target class and dropping discriminant information of the original class. Extensive experiments on CIFAR-10, CIFAR-100, and ImageNet-1K demonstrate that the proposed AdvINN method can produce less imperceptible adversarial images than the state-of-the-art methods and AdvINN yields more robust adversarial examples with high confidence compared to other adversarial attacks. Code is available at https://github.com/jjhuangcs/AdvINN.
Downloads
Published
2023-06-26
How to Cite
Chen, Z., Wang, Z., Huang, J.-J., Zhao, W., Liu, X., & Guan, D. (2023). Imperceptible Adversarial Attack via Invertible Neural Networks. Proceedings of the AAAI Conference on Artificial Intelligence, 37(1), 414-424. https://doi.org/10.1609/aaai.v37i1.25115
Issue
Section
AAAI Technical Track on Computer Vision I
