JPEG-resistant Adversarial Images

摘要:

While JPEG compression is not differentiable, we show how to closely approximate it using only differentiable operations

  • differentiable approximation to rounding:



    原本的方式使得导数几乎处处为0,与FGSM方法不兼容,因此改成用以上式子的方法

  • Creating JPEG-resistant adversarial images

In this paper, we showed how to defeat the JPEG defense by performing an adaptive attack with a differentiable JPEG approximation. By ensembling target models that use varying amounts of compression, our adversarial examples generalize to models with and without this defense.

在input阶段,对图像进行jpeg compression时使用JPEG_{diff}(x,q)(a differentiable JPEG approximation),也就是说,我们优化问题变为:argmax_{x′} l(C(x),C(JPEG_{diff}(x′,q))) s.t.∥x′ − x∥ < d.
这需要计算梯度:
∇_{x′}[l(C(x),C(JPEG_{diff}(x′,q)))]
此时compress对fgsm的防御能力会下降。

©著作权归作者所有,转载或内容合作请联系作者
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。

推荐阅读更多精彩内容