Adversarial Attacks on Deep Neural Networks (DNNs)

Abstract

Deep neural networks (DNNs) are extensively being used in multiple fields ranging from object classification and medical image analysis to self-driving cars. Vulnerability of such networks to the adversarial perturbations is a major area of concern due to its critical role. These perturbations may be imperceptible to human eyes yet they are strong enough to fool state-of-theart DNN classifiers. Contrary to already proposed methods of direct pixel manipulation, we propose a steganography based technique to generate adversarial perturbations to fool deep models on any image. The proposed perturbations are computed in a transform domain where a single secret image embedded in any target image makes any deep model misclassify the target image with high probability. The attack resulting from our perturbation is ideal for black-box setting, as it does not require any information about the target model. Moreover, being a non-iterative technique, our perturbation estimation remains computationally efficient. The computed perturbations are also imperceptible to humans while they achieve high fooling ratios for the models trained on large-scale ImageNet dataset. We demonstrate successful fooling of ResNet-50, VGG-16, Inception-V3 and MobileNet-V2, achieving up to 89% fooling of these popular classification models.