Color and Edge-Aware Adversarial Image Perturbations
CColor and Edge-Aware Adversarial Image Perturbations
Robert BassettNaval Postgraduate School1 University Circle, Monterey, CA 93943 [email protected]
Mitchell GravesUS Naval Academy121 Blake Rd, Annapolis, MD 21402 [email protected]
Figure 1: A Color-and-Edge-Aware Perturbation. Left: an image of a tank which has been adversarially perturbed through atargeted misclassification so that it is classified as an amphibious vehicle with . confidence. Center: A region of the leftimage. Right: The image perturbation, which has been constructed to model human perception of texture and color. Imagesource: ILSVRC 2012 [10]. Classifier: Inception v3 [14]. Abstract
Adversarial perturbation of images, in which a sourceimage is deliberately modified with the intent of causing aclassifier to misclassify the image, provides important in-sight into the robustness of image classifiers. In this workwe develop two new methods for constructing adversar-ial perturbations, both of which are motivated by mini-mizing human ability to detect changes between the per-turbed and source image. The first of these, the
Edge-Aware method, reduces the magnitude of perturbations per-mitted in smooth regions of an image where changes aremore easily detected. Our second method, the
Color-Aware method, performs the perturbation in a color space whichaccurately captures human ability to distinguish differencesin colors, thus reducing the perceived change. The Color-Aware and Edge-Aware methods can also be implementedsimultaneously, resulting in image perturbations which ac-count for both human color perception and sensitivity tochanges in homogeneous regions. Though Edge-Awareand Color-Aware modifications exist for many image per- turbations techniques, we focus on easily computed per-turbations. We empirically demonstrate that the Color-Aware and Edge-Aware perturbations we consider effec-tively cause misclassification, are less distinguishable tohuman perception, and are as easy to compute as the mostefficient image perturbation techniques. Code and demoavailable at https://github.com/rbassett3/Color-and-Edge-Aware-Perturbations.
1. Introduction
Adversarial perturbations have shown that state-of-the-art techniques for image classification are inherently unsta-ble, because minute changes to an image can result in dra-matic changes in the predicted class of the image. Manytechniques have been introduced to generate adversarialperturbations, but a common theme is a formulation whichencourages substantial change to the output of the classi-fier while restricting to only small changes of the image.In these formulations, metrics for quantifying change to the1 a r X i v : . [ c s . C V ] A ug mage are often mathematically instead of perceptually mo-tivated.We address this problem by proposing two new tech-niques for generating adversarial perturbations. The first,our Edge-Aware method, is motivated by human ability todetect minor modifications against a smooth background.It uses a texture filter, such as a Sobel or Gabor filter, tolimit perturbations in smooth regions. The result is thatthe Edge-Aware method constructs perturbations which pre-serve smoothly textured regions in the image. Though thislimitation might be expected to make misclassification moredifficult to achieve, we find that misclassification can still becaused relatively easily, even when generating perturbationswhich target a certain class for the perturbed image.Our second contribution is the Color-Aware method forgenerating image perturbations. While the Edge-Awaremethod reduces detection by considering how a pixel differsfrom its neighbors, the Color-Aware method focuses on thepixel value itself. It is well-known that for RGB representa-tions of a pixel, metrics like (cid:96) or (cid:96) ∞ do not accurately cap-ture human ability to perceive color difference. Thereforeperturbations which are small with respect to these metricsmay still be easily detected by an individual comparing theperturbed and source images. To overcome this issue weconvert the image to a color space which does capture hu-man perception in color difference, and construct the pertur-bation in this space. One concern with this approach is com-putational, because conversion from RGB to color spaceswhich attempt to accurately model human perception caninvolve complicated transformations. We mitigate this con-cern by using the CIE L*a*b* (CIELAB) color space, inwhich the (cid:96) distance between pixels captures perceivedcolor distance. The tractability of this constraint, and thefact that we construct the perturbation directly in CIELABcolor space, allows us to construct Color-Aware perturba-tions with minimal computational overhead.The Color-Aware and Edge-Aware methods can be ap-plied simultaneously to generate a Color-and-Edge-Awareperturbation, an example of which appears in Figure 1.Color-and-Edge-Aware perturbations reduce human abilityto distinguish between the source and modified images byconstraining both texture and color discrepancies. In the re-mainder of this paper, we demonstrate the effectiveness ofColor and Edge-Aware perturbations. We show that theyare among the most computationally efficient methods forgenerating adversarial perturbations, while still effectivelycausing misclassification of the perturbed image. We alsoprovide empirical evidence which confirms that Color andEdge-Aware perturbations are more difficult for a humanobserver to detect.Before proceeding we establish some notation. We as-sume that images have been scaled to take values in [0 , .Let w , h , and c be fixed positive integers which give the width, height, and number of color channels, respectively,of the images considered. Denote [0 , h × w × c , the set ofvalid images, by X . Let C := { , ..., C } be a set of possibleimage classes. An image classification algorithm is a func-tion F : X → ∆ C , where ∆ C denotes the C -dimensionalprobability simplex. It is common for an image classifier toconvert logits to probabilities using the softmax function, inwhich case F can written F = softmax ◦ Z , for some func-tion Z : X → R C . Throughout, we will denote a sourceimage by x , a perturbation by δ , and a perturbed image x + δ by x (cid:48) . We denote by (cid:107) · (cid:107) p,c : [0 , h × w × c → R h × w an (cid:96) p norm applied across the color dimension of an image. Oth-erwise, (cid:107)·(cid:107) p → R denotes the entrywise p -norm of a tensor.Lastly, we use (cid:104)(cid:104)· , ·(cid:105)(cid:105) to denote the Frobenius inner product.
2. Related Work
Neural networks are state-of-the-art tools for image clas-sification, and have been used in a variety of applicationareas including computer vision [6], [17], natural languageprocessing [4], and Markov decision processes [13]. De-spite their success, Szegedy et al. [15] first noticed that neu-ral networks are vulnerable to adversarial perturbations, inwhich noise is added to an input in order to cause misclas-sification without substantially changing the input. Adver-sarial perturbations are especially interesting in the contextof image classification, in part because of the high-level ofperformance that artificial neural networks enjoy in that do-main. In their paper, Szegedy et al. solved for a perturbedimage x (cid:48) of an input image x by solving the following opti-mization problem using bound-constrained L-BFGS. min x (cid:48) ∈ R h × w × c L ( F ( x (cid:48) ) , l ) + α (cid:107) x − x (cid:48) (cid:107) subject to ≤ x (cid:48) ≤ . The function L : ∆ C × C → R , and label l ∈ C take twoforms. In the untargeted setting, where any misclassifica-tion is acceptable, L is taken to be the negative cross en-tropy loss and l the true label of the image. In the targetedsetting, L is taken to be the cross entropy loss and l the tar-geted label for the image. Large values of the parameter α encourage the perturbation to be close to the source image;this value must be chosen separately.A few features of the Szegedy et al. method are worthemphasizing. First, the optimization method is quasi-newton, and hence requires only first-order informationabout the objective function. This is important becausemodern software for neural networks emphasizes efficientgradient computation. Second order information, on theother hand, would be extremely burdensome to computeand cannot be assumed. Another important feature of theSzegedy et al. method is that projection onto the constraintset is easy, so that it can be computed quickly as part ofterative first-order methods. Lastly, we note that, despiteits simplicity, the L-BFGS method requires extra memoryto store Hessian approximations, and can also require manyfunction evaluations to compute the step length (often viabacktracking).In contrast to the L-BFGS method of Szegedy et al., theFast Gradient Sign method (FGSM), prioritizes perturba-tions which can be easily computed [5]. The FGSM methodproposes the following optimization problem min δ ∈ R h × w × c L ( F ( x + δ ) , l ) subject to (cid:107) δ (cid:107) ∞ < α. To reduce the computational burden associated with solvingthis problem, the authors instead optimize a linear approx-imation of the objective by taking the gradient of the inputwith respect to δ . min δ ∈ R h × w × c (cid:104)(cid:104)∇ x ( L ( F ( x ) , l )) , δ (cid:105)(cid:105) subject to (cid:107) δ (cid:107) ∞ < α. This has the closed-form solution x (cid:48) = x + α sign ( ∇ x ( L ( F ( x ) , l ))) . In the event that x (cid:48) (cid:54)∈ [0 , h × w × c , it can easily be projectedonto this set, making the result a valid image. FGSM canalso be used as an iterative method, where the perturbedimage x (cid:48) from one iteration is used as the input image x inthe next iteration.The FGSM’s simplicity is the key to its success. Thoughthe linear approximation of FGSM is simpler than the quasi-newton method of Szegedy et al, FGSM requires only theelementwise sign of the gradient yet has been shown to stillgenerate effective perturbations.There have been many other methods proposed to gen-erate adversarial perturbations. Two of the most celebratedare the Carlini-Wagner (cid:96) perturbation [2] and DeepFool[7]. The Carlini-Wagner approach is designed to achievevery precise misclassification, and it includes a tuning pa-rameter which specifies the misclassification confidence. Inthis sense, the Carlini-Wagner approach is well-suited toanswer the question: “What is the minimal perturbationrequired to move this image onto the decision boundarybetween classes?” Though it effectively generates adver-sarial perturbations, the Carlini-Wagner method is complexrelative to other methods for adversarially perturbing im-ages, requiring multiple starting points and at least threeadditional univariate parameters depending on the descentmethod used. Because of the complex formulation and rel-atively high computational overhead, Carlini-Wagner per-turbations have different motivations than our Color-Aware and Edge-Aware perturbations, in which we seek to effi-ciently and effectively create image perturbations which areundetectable by human observers. Doing so will accom-plish two goals. The first is practical; perturbations whichare easier to be compute can be more readily applied. Oursecond goal is theoretical, in that we seek the simplest tech-nique that accomplishes the task of constructing effectiveand imperceivable image perturbations.The motivation for DeepFool better aligns with the goalsof this paper because of its emphasis on lightweight con-struction of perturbations. The DeepFool algorithm pro-ceeds iteratively by stepping towards the decision boundaryof the classifier. In order to make these iterates tractable,DeepFool linearly approximates the decision boundary ateach iteration. DeepFool prioritizes efficient computation,and in this way is a compromise between Carlini-Wagnerand FGSM. One drawback of DeepFool is that it only ac-commodates untargeted perturbations. Like DeepFool, weare motivated by efficient computation of perturbations, butour method will accommodate targeted perturbations. Wealso note that DeepFool, like many other perturbation meth-ods, can be easily modified to include both our Edge-Awareand Color-Aware ideas by changing the norm it uses inter-nally.
3. Proposed Approaches
We begin by describing our Color-Aware perturbation.The primary motivation for developing our Color-Awareperturbation is that the distance between colors, when rep-resented as vectors in RGB space, does not correspond tothe perceived difference from the perspective of a humanobserver. There have been many efforts to devise color sys-tems which respect human perception, beginning with theMunsell Color System [9] in 1905. Since then, the Inter-national Commission on Illumination (with acronym CIEin French) developed a sequence of color spaces and colordistances which attempt to quantify perceived color differ-ence. The first of these was in 1931 with the CIEXYZ colorspace. This space was improved in 1976 with the addition ofthe CIELAB and CIELUV color spaces, which better mod-els perceived color difference. The CIELAB and CIELUVspaces perform similarly with respect to their accuracy inperceived color difference [8], and we opt to use CIELAB.We note that in the CIELAB representation of colors, per-ceived distance between colors is measured using the Eu-clidean distance between them.Conversion from RGB to CIELAB requires an interme-diate conversion to CIEXYZ, which is a linear transforma-tion. XYZ = A RGB (1)igure 2: An illustration of the CIELAB color distance.Each ‘x’ is formed by changing the solid blue background, (0 , , in RGB, by ± . in a single color plane. Thoughequidistant in RGB, some of the ’x’s are more easily dis-tinguished from the background. The CIELAB distance,on the other hand, accurately captures perceived color dif-ference. Left: CIELAB distance 3.04. Center: CIELABdistance 17.23. Right: CIELAB distance 76.94.The (invertible) matrix A ∈ R × is specified in theCIEXYZ standard [12]. Conversion from XYZ to LABspace is nonlinear. L ∗ = 116 f (cid:18) YY n (cid:19) − (2) a ∗ = 500 (cid:18) f (cid:18) XX n (cid:19) − f (cid:18) YY n (cid:19)(cid:19) (3) b ∗ = 200 (cid:18) f (cid:18) YY n (cid:19) − f (cid:18) ZZ n (cid:19)(cid:19) (4)where δ = and f ( t ) = (cid:40) √ t if t > δ t δ + otherwise . The constants X n , Y n and Z n depend on the illuminationstandard used, but are commonly taken as X n := 95 . , Y n := 100 , and Z n := 108 . [11]. Denote by C RGB → XYZ a conversion function from RGB to CIEXYZ,with appropriate notational extensions to other color spaces.When necessary, we will clarify the space in which a sourceimage x , perturbed image x (cid:48) , or perturbation δ reside withan appropriate superscript. We have C RGB → LAB = C XYZ → LAB ◦ C RGB → XYZ . The conversion functions C XYZ → LAB and C RGB → XYZ areinvertible, so C LAB → RGB is defined as the appropriate com-position of inverse conversions. We note that all conversionfunctions are continuous and piecewise differentiable.CIELAB was further extended to color difference formu-las CIEDE94 and CIEDE2000 in the corresponding years.One of the few other works to apply perceptual color-spaces to adversarial perturbations is [16], which used aCarlini-Wagner approach to compute adversarial perturba-tions where the difference between the perturbed and source image was quantified using CIEDE2000. That work sharesour Color-Aware motivation of constructing perturbationswhich account for human color perception, but our empha-sis on efficient computation prompts us to use CIELABinstead, thus avoiding the complexity of a Carlini-Wagnerformulation. Though the CIEDE94 and CIEDE2000 differ-ence formulas were intended to correct some imprecisionsin using CIELAB to measure perceived color difference,they require complicated nonconvex manipulations of theLAB coordinates and are not given by the (cid:96) p distance insome color space. This increases the computational burdenrequired to compute adversarial perturbations and motivatesour use of CIELAB. To our knowledge there has only beenone other effort using perceptual color spaces for image per-turbations [1]. Like our work, the authors use the CIELABdistance, but their formulation differs critically from ours inits formulation, positing an intractable constraint which ismitigated by solving a penalized version instead. Our for-mulation only uses tractable constraints, mirroring the sim-plicity of FGSM in both its constraint set and the closed-form solution of its linear approximation.We propose to adversarially perturb an image x RGB asfollows. Convert x LAB := C RGB → LAB ( x RGB ) and solve thefollowing. min δ L (cid:0) F ◦ C LAB → RGB (cid:0) x LAB + δ (cid:1) , l (cid:1) (5)subject to (cid:107) δ (cid:107) ,c ≤ α. As in FGSM, we linearly approximate the objectivefunction to yield the closed-form solution below. x (cid:48) LAB = x LAB + α ∇ x L (cid:0) F ◦ C LAB → RGB (cid:0) x LAB (cid:1) , l (cid:1) (cid:107)∇ x L ( F ◦ C LAB → RGB ( x LAB ) , l ) (cid:107) ,c (6)We note that division in (6) is pointwise and broadcastacross the color dimension so that the dimensions are com-patible. Finally, the perturbed image can be converted toRGB, x (cid:48) RGB = C LAB → RGB (cid:0) x (cid:48) LAB (cid:1) .We note that because δ is a perturbation in CIELABspace, the constraint in (7) represents perceived color dif-ference. Also, the classifier F is assumed to require RGBinputs, though we note that there is work attempting to trainmodels directly on CIELAB representations of images [3].Next we describe the Edge-Aware perturbation method.Let W : X → [0 , h × w denote a pixel-wise edge detec-tor, such as the Sobel or Gabor filter, where a value nearone means an edge is detected. We construct Edge-Awareperturbations by weighting pixels in the perturbation con-straint by their edge weights, thus reducing the magnitudeof perturbation permitted in smooth regions. This can beapplied to the FGSM directly, but we will introduce it in thecontext of our Color-Aware perturbation method. Lettingigure 3: FGSM and Color-Aware perturbations. Left: a source image to be adversarially perturbed. Center: The FGSMperturbation, scaled to [0 , . Right: The Color-Aware perturbation, scaled to [0 , . In order to emphasize the colors in thisperturbation, we have rounded values less than . and greater than . to and , respectively. Note that in the Color-Awareperturbation different objects (dog, grass, or dark background) have perturbations in different directions. w = W ( x RGB ) , we propose solving the following min δ L (cid:0) F ◦ C LAB → RGB (cid:0) x LAB + δ (cid:1) , l (cid:1) (7)subject to (cid:107) δ (cid:107) ,c ≤ αw. Again, by linearly approximating the objective function wearrive at the closed-form solution x (cid:48) LAB = x LAB + α w ∇ x L ( F ◦ C LAB → RGB ( x ) , l ) (cid:107)∇ x L ( F ◦ C LAB → RGB ( x ) , l ) (cid:107) ,c (8) x (cid:48) RGB = C LAB → RGB (cid:0) x (cid:48) LAB (cid:1) . As in equation (6), the multiplication and division in (8) ispointwise and broadcast across the color dimension. Wealso note that in equations (6) and (8) it is possible that the2-norm at a pixel is zero, in which case we do not make anyperturbation at the pixel.
4. Experiments
In this section we empirically evaluate the performanceof our Color and Edge-Aware perturbations. Throughout,we use the Inception v3 classifier [14] and the ILSVRC2012 validation set [10] as the classifier to disrupt and theimages to perturb. We will use a Sobel filter to constructthe edge weights, though other edge filters would also beappropriate.
We begin by comparing perturbations computed usingour Color-Aware method with those of FGSM, in order toshow the qualitative difference between perturbation direc-tions. For a small value of α , we compute x (cid:48) − x , the differ-ence between a perturbed and source image, where the per-turbed image x (cid:48) is constructed through both FGSM and ourColor-Aware method. Figure 3 gives a comparison of the perturbations, where the Color-Aware version is rounded tothe nearest vertex of the RGB cube to make it more visuallycomparable with the FGSM perturbation.We see that our Color-Aware method clearly identifiescolor trends in this perturbation that FGSM does not. Inthe region containing the grass, red occurs in much lowerquantities than the green and blue colors. Similar to our ex-ample in figure 2, perturbing the nondominant color planesresults in large RGB change with small perceived color dif-ference. The most prevalent colors in this region are theteal (0 , . , . and coral (1 , . , . which represent changesin the red color plane because of the [0 , scaling. Lessprevalent but still visible are lavender ( . , . , and olive ( . , . , , which represent perturbations in the blue colorplane, the other non-dominant color in the region. For theregion containing the white samoyed dog, the white of thedog has a fairly even distribution of RGB colors, so there ismore variety in the perturbations than in the grassy region.In FGSM, however, color trends are impossible to distin-guish. The region containing the dog can be distinguishedupon close inspection based on the texture of the perturba-tion, but not the distribution of its colors.We also include a comparison of our Color-Aware andColor-and-Edge-Aware methods with FGSM and L-BFGS.In figure 4 we construct untargeted perturbations on animage containing a submarine. Close inspection revealsperturbation artefacts in the sky near the water’s surfaceand around the submarine’s broadcasting equipment for allmethods except Color-and-Edge-Aware, with Color-Awaredisplaying less artefact than L-BFGS and FGSM. Table 1contains classification confidence and quantifications of theperturbation’s size using various norms. The large (cid:96) normof the Color-and-Edge-Aware perturbation relative to theother methods, combined with its small (cid:96) norm, suggeststhat there are fewer perturbed pixels but that the magnitudeof these perturbations is larger. This aligns with the intu- a) Original image(b) L-BFGS (c) FGSM(d) Color-Aware (e) Color-and-Edge-Aware Figure 4: Comparison of perturbation methods in an un-targeted attack. For all methods the perturbed image wasclassified as a breakwater. Details in text and table 1.ition used to create the Edge-Aware weighting. Little or nochange occurs in the smooth sky region, while larger mag-nitude perturbations are placed in the region containing thewater where it cannot be readily perceived.Figure 5 contains a similar example for a targeted at-tack, where the source image contains a tank and the tar-geted label is a mobile home. All perturbation methodssuccessfully induced misclassification. The performance ofthe methods is generally similar to the untargeted setting, inthat all methods except Color-and-Edge-Aware have easilydetectable perturbations. Similar to the submarine exam- Image Prob. (cid:107) δ (cid:107) (cid:107) δ (cid:107) Original .
997 0 0
L-BFGS .
442 538 .
28 1 . FGSM .
00 1558 .
36 3 . Color-Aware .
980 1594 . .
69 3 . Color-&-Edge-Aware .
980 987 .
29 3 . Table 1: Numerical comparison of the untargeted attacksproducing the perturbed images in figure 1. For the originalimage the probability listed is for the submarine class. Forall others it is the breakwater class, which was the class withthe highest probability for all methods.ple, L-BFGS appears to place large magnitude perturbationsin certain regions, in this example at the front of the tank,but less perturbation overall. Both Color-Aware and FGSMmake notable texture changes on the side of the tank and inthe sky above. Table 3 summarizes the performance of themethods. Though the Color-and-Edge-Aware perturbationis larger in (cid:96) norm than the others, the location of theseperturbations and its more accurate modeling of color per-ception makes it less discernible than the others from theperspective of a human observer. In this section we demonstrate that Color-Aware andColor-and-Edge-Aware perturbations are effective at induc-ing misclassification. For our first experiment, we choose100 images from the 2012 ILSVRC validation set whichthe Inception v3 network classifies correctly. The α value ischosen uniquely from a set of candidates for each perturba-tion method but fixed for all images. Our selected α corre-sponds to the value that misclassified the highest proportionof the first 10 images. We perform both targeted and un-targeted experiments, where for all images the target classwas a coffee mug. The step length/penalty parameter waschosen in the untargeted experiment and was the same forthe targeted experiments. Table 2 summarizes our results.L-BFGS FGSM C-Aware C & E-AwareUntargeted
92% 100% 100% 91%
Targeted
Table 2: Misclassification percentages for 100 images with5 iterations for untargeted and 10 iterations for targeted.Full details in text.The results indicate that perturbations which are Color-Aware and/or Edge-Aware reliably induce misclassification.Moreover, all methods considered consistently cause mis-classification given proper choice of α and sufficient num-ber of iterations. Unsurprisingly, we see that achieving tar-mage Prob. (cid:107) δ (cid:107) (cid:107) δ (cid:107) Original .
852 0 0
L-BFGS .
804 609 .
55 1 . FGSM .
995 1621 .
22 3 . Color-Aware .
980 1616 .
69 3 . Color and Edge-Aware .
980 1185 .
87 4 . Table 3: Numerical comparison of the targeted attacks pro-ducing the perturbed images in figure 3. For the originalimage the probability listed is for the tank class. For allothers it is the mobile home class, which was the targetedlabel.geted misclassification is more difficult and requires moreiterations to do so reliably. Our Color-and-Edge-Awaremethod achieves misclassification rate on both theuntargeted and targeted tasks whereas FGSM and Color-Aware achieves misclassification, providing evidencethat restricting perturbations to smoothly-textured regionshas only a small impact on the ability of the method to in-duce misclassification. Only of images were unable tobe misclassified by both untargeted and targeted Color-and-Edge-Aware, which suggests that ability to induce misclas-sification using perturbations which are restricted to certainregions depends on the region and the target class.For our second experiment, we compare how the mis-classification confidence changes as a function of the num-ber of iterations and magnitude of the perturbation as quan-tified by various norms. We use the source image of a sub-marine in figure 4 to perform an untargeted attack. Our re-sults are given in figure 6, where the curves in each sub-figure are parametrized by iteration number. These plotsshow that our contributions are competitive with L-BFGSand FGSM when measured by the (cid:96) p norms in an RGB rep-resentation, and that they outperform the competition whenquantified using the CIELAB color distance.From the perspective of per-iteration confidence, figure6 provides evidence that FGSM and Color-Aware perturba-tions behave similarly with respect to misclassification con-fidence as a function of iterations. Color-and-Edge-Awareperforms poorly in metrics which are sensitive to outliers( (cid:96) and (cid:96) ∞ ) because of its tendency to place larger perturba-tions in regions they are not easily detected. L-BFGS alsoperforms poorly in these metrics, suggesting that it placeslarge perturbations in isolated regions. That fact that L-BFGS does not place these perturbations in regions wherethey are difficult to discern suggests that the perturbationartefacts may be easily detectable. When quantified usingthe (cid:96) norm of the CIELAB distances, Color and Edge-Aware perturbations outperform FGSM and are competitivewith the more complex L-BFGS method. (a) Original image(b) L-BFGS (c) FGSM(d) Color-Aware (e) Color-and-Edge-Aware Figure 5: Comparison of perturbation methods in a targetedattack, with a mobile home as the target label. Details intext and table 3.
Next we compare the computational burden of the meth-ods considered, as assessed by their running times. Color-Aware and Color-and-Edge-Aware perturbations have theadvantage of properly accounting for human perception ofcolor and texture, but we hope to do so as simply as pos-sible. The gold standard for generating simple image per-turbations is the fast gradient sign method, because it onlyrequires the elementwise sign of the gradient. Comparedto FGSM, Color-Aware and Color-and-Edge-Aware imposeadditional structure to model human perception. First, the .0 2.5 5.0 7.5 10.0 12.5 15.0 17.5 20.0
Iteration C o n f i d e n c e Color-AwareColor & Edge-AwareFGSML-BFGS norm of perturbation C o n f i d e n c e Color-AwareColor & Edge-AwareFGSML-BFGS norm of CIELAB distances Color-AwareColor & Edge-AwareFGSML-BFGS norm of perturbation C o n f i d e n c e Color-AwareColor & Edge-AwareFGSML-BFGS norm of CIELAB distances Color-AwareColor & Edge-AwareFGSML-BFGS norm of perturbation C o n f i d e n c e Color-AwareColor & Edge-AwareFGSML-BFGS norm of CIELAB distances
Color-AwareColor & Edge-AwareFGSML-BFGS
Figure 6: Confidence against iterations, (cid:96) , (cid:96) , and (cid:96) ∞ norms. The left column contains plots confidence against (cid:107) x (cid:48) RGB − x RGB (cid:107) p and the right column plots confidenceagainst (cid:13)(cid:13) (cid:107) x (cid:48) LAB − x LAB (cid:107) ,c (cid:13)(cid:13) p , for p ∈ { , , ∞} . Detailsin text.computation of the gradient requires composition with theconversion function F LAB → RGB . Second, instead of the signof the gradient Color-Aware methods normalize the gradientin the (cid:96) norm across the color dimension. Lastly, makinga perturbation method Edge-Aware requires an additionalapplication of an edge filter. Our experiments show thatColor-Aware and Color-and-Edge-Aware perturbations areonly marginally less efficient to construct than FGSM per-turbations.Because our emphasis is on generating effective imageperturbations with minimal computational resources, weconsider both CPU and GPU implementations. Table 4gives the running times for each method applied to 100ILSVRC images. Our experiments were carried out in aLinux operating system, with an 8-core Intel i9-9980 CPUat 2.4 GHz, 64 GB of memory, and a GeForce GTX 1650 GPU. Method CPU time (s) GPU time (s)L-BFGS . ± .
55 0 . ± . FGSM . ± .
05 0 . ± . Color-Aware . ± .
12 0 . ± . Color-&-Edge-Aware . ± .
03 0 . ± . Table 4: Mean and standard deviation of the run times foreach method applied to 100 images. Each method was runfor 10 iterations.Table 4 demonstrates that the time required to gener-ate Color-Aware and Color-and-Edge-Aware perturbationsis similar to FGSM and less than L-BFGS. Interestingly, wenote that the computational burden associated with compos-ing the model with the conversion function F LAB → RGB , ev-ident in the difference between FGSM and Color-Aware, re-sults in a smaller relative increase in the CPU implementa-tion ( . ) than the GPU implementation ( . ). In bothimplementations, the additional time required to make themethod edge-aware is minor, between . and . sec-onds.
5. Conclusion
We have presented two new methods for creating adver-sarial image perturbations which are less discernible by ahuman observer. The first, our
Color-Aware perturbationmethod, accounts for human perception of color by per-forming the perturbation directly in CIELAB space, wherea simple constraint guarantees the perceived color changeto the perturbed image is small. Our second contribu-tion is our Edge-Aware method, which uses a texture fil-ter to restrict perturbations to regions where a human ob-server is less likely to detect them. Color-Aware and Edge-Aware methodology can be combined to generate
Color-and-Edge-Aware perturbations, which address both issuessimultaneously. We find that our contributions reliably in-duce misclassification, require similar computation time asthe most efficient techniques for generating adversarial per-turbations, and are more difficult to detect than methodsof similar complexity, providing evidence that Color andEdge-Aware perturbations are a simple yet effective way togenerate perturbations which properly account for humanperception.
Acknowledgments
Both authors acknowledge support from the Office ofNaval Research’s Science of Autonomy Program, awardnumber N0001420WX01523. eferences [1] Anish Athalye, Logan Engstrom, Andrew Ilyas, and KevinKwok. Synthesizing robust adversarial examples. In
Inter-national conference on machine learning , pages 284–293,2018. 4[2] Nicholas Carlini and David Wagner. Towards evaluating therobustness of neural networks. In , pages 39–57. IEEE, 2017. 3[3] Javier Diaz-Cely, Carlos Arce-Lopera, Juan Cardona Mena,and Lina Quintero. The effect of color channel represen-tations on the transferability of convolutional neural net-works. In
Science and Information Conference , pages 27–38.Springer, 2019. 4[4] Yoav Goldberg. Neural network methods for natural lan-guage processing.
Synthesis Lectures on Human LanguageTechnologies , 10(1):1–309, 2017. 2[5] Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy.Explaining and harnessing adversarial examples. arXivpreprint arXiv:1412.6572 , 2014. 3[6] Alex Krizhevsky, Ilya Sutskever, and Geoffrey E Hinton.Imagenet classification with deep convolutional neural net-works. In
Advances in neural information processing sys-tems , pages 1097–1105, 2012. 2[7] Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, andPascal Frossard. Deepfool: a simple and accurate method tofool deep neural networks. In
Proceedings of the IEEE con-ference on computer vision and pattern recognition , pages2574–2582, 2016. 3[8] Dorothy I Morley, Ruth Munn, and Fred W Billmeyer Jr.Small and moderate colour differences: Ii the morley data.
Journal of the Society of Dyers and Colourists , 91(7):229–242, 1975. 3[9] Dorothy Nickerson. History of the munsell color system andits scientific application.
JOSA , 30(12):575–586, 1940. 3[10] Olga Russakovsky, Jia Deng, Hao Su, Jonathan Krause, San-jeev Satheesh, Sean Ma, Zhiheng Huang, Andrej Karpathy,Aditya Khosla, Michael Bernstein, Alexander C. Berg, andLi Fei-Fei. ImageNet Large Scale Visual Recognition Chal-lenge.
International Journal of Computer Vision (IJCV) ,115(3):211–252, 2015. 1, 5[11] Janos Schanda. Cie colorimetry.
Colorimetry: Understand-ing the CIE system , pages 25–78, 2007. 4[12] Thomas Smith and John Guild. The cie colorimetric stan-dards and their use.
Transactions of the optical society ,33(3):73, 1931. 4[13] Richard S Sutton and Andrew G Barto.
Reinforcement learn-ing: An introduction . MIT press, 2018. 2[14] Christian Szegedy, Vincent Vanhoucke, Sergey Ioffe, JonShlens, and Zbigniew Wojna. Rethinking the inception archi-tecture for computer vision. In
Proceedings of the IEEE con-ference on computer vision and pattern recognition , pages2818–2826, 2016. 1, 5[15] Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, JoanBruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus.Intriguing properties of neural networks. arXiv preprintarXiv:1312.6199 , 2013. 2 [16] Zhengyu Zhao, Zhuoran Liu, and Martha Larson. Towardslarge yet imperceptible adversarial image perturbations withperceptual color distance. In
Proceedings of the IEEE/CVFConference on Computer Vision and Pattern Recognition ,pages 1039–1048, 2020. 4[17] Zhong-Qiu Zhao, Peng Zheng, Shou-tao Xu, and Xin-dong Wu. Object detection with deep learning: A review.