Image Perturbation Generation: Exploring New Ways for Adversaries to Interrupt Neural Network Image Classifiers
Abstract
Modern-day machine learning algorithms are vulnerable to adversarial perturbations. Before machine learning is employed in operational environments it is important for the Department of Defense to understand the vulnerabilities in adversarial domains. With an emphasis on applications to image classification, this thesis intends to investigate methods for constructing adversarial manipulations intended to fool a statistical classifier in order to establish best practices prior to employment in a mission-critical environment. The state-of-the-art method for generating adversarial perturbations utilizes an easy to obtain linear approximation of the defenders loss function and applies change to each pixels value in the direction of the gradient by a pre-determined constant in order to maximize the defenders loss function. This results in misclassification of the image. This thesis aims to improve existing methods for developing adversarial inputs to image classifiers by attempting to find new ways to make perturbations less perceptible to human vision. We develop two new perturbation methods. Color Aware attempts to constrain perturbation changes to match human perception by mapping to CIELAB color space, a color space better suited to represent human vision, while Color and Edge Aware constrains perturbation changes in visually smooth regions in images.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jun 01, 2020
- Accession Number
- AD1114516
Entities
People
- Mitchell R. Graves
Organizations
- Naval Postgraduate School