JPEG-resistant Adversarial Image

2019-11-12 本文已影响0人不想掉队的小布丁

摘要：

While JPEG compression is not differentiable, we show how to closely approximate it using only differentiable operations

differentiable approximation to rounding:

原本的方式使得导数几乎处处为0，与FGSM方法不兼容，因此改成用以上式子的方法
Creating JPEG-resistant adversarial images

In this paper, we showed how to defeat the JPEG defense by performing an adaptive attack with a differentiable JPEG approximation. By ensembling target models that use varying amounts of compression, our adversarial examples generalize to models with and without this defense.

在input阶段，对图像进行jpeg compression时使用 $JPEG_{diff}(x,q)$ (a differentiable JPEG approximation)，也就是说，我们优化问题变为: $argmax_{x′} l(C(x),C(JPEG_{diff}(x′,q))) s.t.∥x′ − x∥ < d.$
这需要计算梯度:
$∇_{x′}[l(C(x),C(JPEG_{diff}(x′,q)))]$
此时compress对fgsm的防御能力会下降。

JPEG-resistant Adversarial Image

猜你喜欢

热点阅读