Smooth adversarial examples

This paper investigates the visual quality of the adversarial examples. Recent papers propose to smooth the perturbations to get rid of high frequency artifacts. In this work, smoothing has a different meaning as it perceptually shapes the perturbation according to the visual content of the image to be attacked. The perturbation becomes locally smooth on the flat areas of the input image, but it may be noisy on its textured areas and sharp across its edges.This operation relies on Laplacian smoothing, well-known in graph signal processing, which we integrate in the attack pipeline. We benchmark several attacks with and without smoothing under a white box scenario and evaluate their transferability. Despite the additional constraint of smoothness, our attack has the same probability of success at lower distortion.


Introduction
Adversarial examples where introduced by Szegedy et al. [34] as imperceptible perturbations of a test image that can change a neural network's prediction.This has spawned active research on adversarial attacks and defenses with competitions among research teams [17].Despite the theoretical and practical progress in understanding the sensitivity of neural networks to their input, assessing the imperceptibility of adversarial attacks remains elusive: user studies show that L p norms are largely unsuitable, whereas more sophisticated measures are limited too [30].
Machine assessment of perceptual similarity between two images (the input image and its adversarial example) is arguably as difficult as the original classification task, while human assessment of whether one image is adversarial is hard when the L p norm of the perturbation is small.Of course, when both images are available and the perturbation is isolated, one can always see it.To make the problem interesting, we ask the following question: given a single image, can the effect of a perturbation be magnified to the extent that it becomes visible and a human may decide whether this example is benign or adversarial?
Figure 1 shows that the answer is positive for a range of popular adversarial attacks.In Appendix A we propose a (e) DeepFool [24] (f) Universal [23] (g) FGSM [6] (h) I-FGSM [15] Figure 1.Given a single input image, our adversarial magnification (cf .Appendix A) reveals the effect of a potential adversarial perturbation.We show (a) the original image followed by (b) its own magnified version as well as (c)-(h) magnified versions of adversarial examples generated by different attacks.Our smooth adversarial example (d) is invisible even when magnified.
simple adversarial magnification producing a "magnified" version of a given image, without the knowledge of any other reference image.Assuming that natural images are locally smooth, this can reveal not only the existence of an adversarial perturbation but also its pattern.One can recognize, for instance, the pattern of Fig. 4 of [23] in our Fig.1(f), revealing a universal adversarial perturbation.Motivated by this example, we argue that popular adversarial attacks have a fundamental limitation in terms of imperceptibility that we attempt to overcome by introducing smooth adversarial examples.Our attack assumes local smoothness and generates examples that are consistent with the precise smoothness pattern of the input image.More than just looking "natural" [37] or being smooth [10,8], our adversarial examples are photorealistic, low-distortion, and virtually invisible even under magnification.This is evident by comparing our magnified example in Fig. 1(d) to the magnified original in Fig. 1(b).
Given that our adversarial examples are more constrained, an interesting question is whether they perform well according to metrics like probability of success and L p distortion.We show that our attack is not only competitive but outperforms Carlini & Wagner [1], from which our own attack differs basically by a smoothness penalty.
Contributions.As primary contributions, we 1. investigate the behavior of existing attacks when perturbations become "smooth like" the input image; and 2. devise one attack that performs well on standard metrics while satisfying the new constraint.As secondary contributions, we 3. magnify perturbations to facilitate qualitative evaluation of their imperceptibility; and 4. define a new, more complete/fair evaluation protocol.
The remaining text is organized as follows.Section 2 formulates the problem and introduces a classification of attacks.It describes the C&W attack and the related work.Section 3 explains Laplacian smoothing, on which we build our method.Section 4 presents our smooth adversarial attacks, and section 5 provides experimental evaluation.Conclusions are drawn section 6.Our adversarial magnification used to generate Fig. 1 is specified in Appendix A.

Problem formulation and related work
Let us denote by x ∈ X := [0, 1] n×d an image of n pixels and d color channels that has been flattened in a given ordering of the spatial components.A classifier network f maps that input image x to an output y = f(x) ∈ R k which contains the logits of k classes.It is typically followed by softmax and cross-entropy loss at supervised training or by arg max at test time.An input x with logits y = f(x) is correctly classified if the prediction p(x) := arg max i y i equals the true label of x.
The attacker mounts a white-box attack that is specific to f, public and known.The attack modifies an original image x o ∈ X with given true label t ∈ {1, . . ., k} into an adversarial example x a ∈ X , which may be incorrectly classified by the network, that is p(x a ) = t, although it looks similar to the original x o .The latter is often expressed by a small L 2 distortion x a − x o .

Families of attacks
In a white box setting, attacks typically rely on exploiting the gradient of some loss function.We propose to classify known attacks into three families.
Target Distortion.This family gathers attacks targeting a distortion given as an input parameter.Examples are early attacks like Fast Gradient Sign Method (FGSM) [6] and Iterative-FGSM (I-FGSM) [15].Their performance is then measured by the probability of success P suc := P(p(x a ) = t) as a function of .
Target Success.This family gathers attacks that always succeed in misclassifying x a , at the price of a possible large distortion.DeepFool [24] is a typical example.Their performance is then measured by the expected distortion These two first families are implemented with variations of a gradient descent method.A classification loss function is defined on an output logit vector y = f(x) with respect to the original true label t, denoted by (y, t).
Target Optimality.The above attacks are not optimal because they a priori do not solve the problem of succeeding under minimal distortion, Szegedy et al. [34] approximate this constrained minimization problem by a Lagrangian formulation Parameter λ controls the trade-off between the distortion and the classification loss.Szegedy et al. [34] carry out this optimization by box-constrained L-BFGS.The attack of Carlini & Wagner [1], denoted C&W in the sequel, pertains to this approach.A change of variable eliminates the box constraint: x ∈ X is replaced by σ(w), where w ∈ R n×d and σ is the element-wise sigmoid function.A margin is introduced: an untargeted attack makes the logit y t less than any other logit y i for i = t by at least a margin m ≥ 0. Similar to the multi-class SVM loss by Crammer and Singer [4] (where m = 1), the loss function is then defined as where [•] + denotes the positive part.The C&W attack uses the Adam optimizer [14] to minimize the functional When the margin is reached, loss (y, t) (3) vanishes and the distortion term pulls σ(w) back towards x o , causing oscillations around the margin.Among all successful iterates, the one with the least distortion is kept; if there is none, the attack fails.The process is repeated for different Lagrangian multiplier λ according to line search.This family of attacks is typically more expensive than the two first.

Imperceptibility of adversarial perturbations
Adversarial perturbations are often invisible only because their amplitude is extremely small.Few papers deal with the need of improving the imperceptibility of the adversarial perturbations.The main idea in this direction is to create low or mid-frequency perturbation patterns.
Zhou et al. [40] add a regularization term for the sake of transferability, which removes the high frequencies of the perturbation via low-pass spatial filtering.Heng et al. [10] propose a harmonic adversarial attack where perturbations are very smooth gradient-like images.Guo et al. [8] design an attack explicitly in the Fourier domain.However, in all cases above, the convolution and the bases of the harmonic functions and of the Fourier transform are independent of the visual content of the input image.
In contrast, the adversarial examples in this work are crafted to be locally compliant with the smoothness of the original image.Our perturbation may be sharp across the edges of x o but smooth wherever x o is, e.g. on background regions.It is not just smooth but photorealistic, because its smoothness pattern is guided by the input image.
An analogy becomes evident with digital watermarking [28].In this application, the watermark signal pushes the input image into the detection region (the set of images deemed as watermarked by the detector), whereas here the adversarial perturbation drives the image outside its class region.The watermark is invisible thanks to the masking property of the input image [3].Its textured areas and its contours can hide a lot of watermarking power, but the flat areas can not be modified without producing noticeable artefacts.Perceptually shaping the watermark signal allows a stronger power, which in turn yields more robustness.
Another related problem, with similar solutions mathematically, is photorealistic style transfer.Luan et al. [22] transfer style from a reference style image to an input image, while constraining the output to being photorealistic with respect to the input.This work as well as follow-up works [27,20] are based on variants of Laplacian smoothing or regularization much like we do.
It is important to highlight that high frequencies can be powerful for deluding a network, as illustrated by the extreme example of the one pixel attack [32].However this is arguably one of the most visible attacks.

Background on graph Laplacian smoothing
Popular attacks typically produce noisy patterns that are not found in natural images.They may not be visible at first sight because of their low amplitude, but they are easily detected once magnified (see Fig. 1).Our objective is to craft an adversarial perturbation that is locally as smooth as the input image, remaining invisible through magnification.This section gives background on Laplacian smoothing [38,13], a classical operator in graph signal processing [29,31], which we adapt to images here.Section 4 uses it generate a smooth perturbation guided by the original input image.
Graph.Laplacian smoothing builds on a weighted undirected graph whose n vertices correspond to the n pixels of the input image x o .The i-th vertex of the graph is associated with feature denotes the spatial coordinates of the n pixels in the image, and similarly p = [p 1 , . . ., p n ] .An edge (i, j) of the graph is associated with weight w ij ≥ 0, giving rise to an n×n symmetric adjacency matrix W, for instance defined as for i, j ∈ {1, . . ., n}, where k f is a feature kernel and k s is a spatial kernel, both being usually Gaussian or Laplacian.The spatial kernel is typically nonzero only on nearest neighbors, resulting in a sparse matrix W. We further define the n × n degree matrix D := diag(W1 n ) where 1 n is the all-ones n-vector.
Regularization [38].Now, given a new signal z ∈ R n×d on this graph, the objective of graph smoothing is to find the output signal s α (z) := arg min r∈R n×d φ α (r, z) with where r := D −1/2 r and • F is the Frobenius norm.The first summand is the smoothness term.It encourages ri to be close to rj when w ij is large, i.e. when pixels i and j of input x o are neighbours and similar.This encourages r to be smooth wherever x o is.The second summand is the fitness term that encourages r to stay close to z. Parameter α ∈ [0, 1) controls the trade-off between the two.
Filtering.If we symmetrically normalize matrix W as W := D −1/2 WD −1/2 and define the n × n regularized Laplacian matrix L α := (I n − αW)/(1 − α), then the expression (6) simplifies to the following quadratic form: This reveals, by letting the derivative ∂ φ/∂r vanish independently per column, that the smoothed signal is simply: This is possible because matrix L α is positive-definite.Parameter α controls the bandwidth of the smoothing: function s α is the all-pass filter for α = 0 and becomes a strict 'low-pass' filter when α → 1 [11].
Variants of the model above have been used for instance for interactive image segmentation [7,13,36], transductive semi-supervised classification [41,38], and ranking on manifolds [39,12].Input z expresses labels known for some input pixels (for segmentation) or samples (for classification), or identifies queries (for ranking), and is null for the remaining vertices.Smoothing then spreads the labels to these vertices according the weights of the graph.
Normalization.Contrary to applications like interactive segmentation or semi-supervised classification [38,13], z does not represent a binary labeling but rather an arbitrary perturbation in this work.Also contrary to such applications, the output is neither normalized nor taken as the maximum over feature dimensions (channels).If L −1 α is seen as a spatial filter, we therefore row-wise normalize it to one in order to preserve the dynamic range of z: The normalized smoothing function ŝα of course depends on x o .We omit this from notation but we say ŝα is smoothing guided by x o and the output is smooth like x o .

Integrating smoothness into the attack
The key idea of the paper is that the smoothness of the perturbation is now consistent with the smoothness of the original input image x o , which is achieved by smoothing operations guided by x o .This section integrates smoothness into attacks targeting distortion (section 4.1) and attacks targeting optimality (section 2.1).

Simple attacks
We consider here simple attacks targeting distortion or success based on gradient descent of the loss function.There are many variations which normalize or clip the update according to the norm used for measuring the distortion, a learning rate or a fixed step etc.These variants are loosely prototyped as the iterative process x (k+1) where c is a clipping function and n a normalization function according to the variant.Function c should at least produce a valid image: c(x) ∈ X = [0, 1] n×d .
Quick and dirty.To keep these simple attacks simple, smoothness is loosely integrated after the gradient computation and before the update normalization: This approach can be seen as a projected gradient descent on the manifold of perturbations that are smooth like x o .

Attack targeting optimality
This section integrates smoothness in the attacks targeting optimality like C&W.Our starting point is the unconstrained problem (4) [1].However, instead of representing the perturbation signal r := x − x o implicitly as a function σ(w) − x o of another parameter w, we express the objective explicitly as a function of variable r, as in the original formulation of (2) in [34].We make this choice because we need to directly process the perturbation r independently of x o .On the other hand, we now need the element-wise clipping function c(x) := min([x] + , 1) to satisfy the constraint where r is unconstrained in R n×d .
Smoothness penalty.At this point, optimizing (13) results in 'independent' updates at each pixel.We would rather like to take the smoothness structure of the input x o into account and impose a similar structure on r.Representing the pairwise relations by a graph as discussed in section 3, a straightforward choice is to introduce a pairwise loss term into (13), where we recall that w ij are the elements of the adjacency matrix W of x o , r := D −1/2 r and D := diag(W1 n ).A problem is that the spatial kernel is typically narrow to capture smoothness only locally.Even if parameter µ is large, it would take a lot of iterations for the information to propagate globally, each iteration needing a forward and backward pass through the network.
Smoothness constraint.What we advocate instead is to apply a global smoothing process at each iteration: we introduce a latent variable z ∈ R n×d and seek for a joint solution with respect to r and z of the following min r,z where φ is defined by (6).In words, z represents an unconstrained perturbation, while r should be close to z, smooth like x o , small, and such that the perturbed input x o + r satisfies the classification objective.Then, by letting µ → ∞, the first term becomes a hard constraint imposing a globally smooth solution at each iteration: subject to r = ŝα (z), where ŝα is defined by (9).During optimization, every iterate of this perturbation r is smooth like x o .
Optimization.With this definition in place, we solve for z the following unconstrained problem over R n×d : Observe that this problem has the same form as (13), where r has been replaced by ŝα (z).This implies that we can use the same optimization method as the C&W attack.The only difference is that the variable is z, which we initialize by z = 0 n×d , and we apply function ŝα at each iteration.Gradients are easy to compute because our smoothing is a linear operator.We denote the loss on this new variable by L(z) := (f(c(x o + ŝα (z))), t).Its gradient is (19) where J ŝα (z) is the n × n Jacobian matrix of the smoothing operator at z. Since our smoothing operator as defined by ( 8) and ( 9) is linear, α is a matrix constant in z, and multiplication by this matrix is equivalent to smoothing.The same holds for the distortion penalty ŝα (z) 2 .This means that in the backward pass, the gradient of the objective (18) w.r.t.z is obtained from the gradient w.r.t.r (or x) by smoothing, much like how r is obtained from z in the forward pass (17).
Matrix L α is fixed during optimization, depending only on input x o .For small images like in the MNIST dataset [18], it can be inverted: function ŝα is really a matrix multiplication.For larger images, we use the conjugate gradient (CG) method [25] to solve the set of linear systems L α r = z for r given z.Again, this is possible because matrix L α is positive-definite, and indeed it is the most common solution in similar problems [7,2,12].At each iteration, one computes a product of the form v → L α v, which is efficient because L α is sparse.In the backward pass, one can either use CG on the gradient, or auto-differentiate through the forward CG iterations.These options have the same complexity.We choose the latter.
Discussion.The clipping function c that we use is just the identity over the interval [0, 1] but outside this interval its derivative is zero.Carlini & Wagner [1] therefore argue that the numerical solver of problem ( 13) suffers from getting stuck in flat spots: when a pixel of the perturbed input x o + r falls outside [0, 1], it keeps having zero derivative after that and with no chance of returning to [0, 1] even if this is beneficial.This limitation does not apply to our case thanks to the L 2 distortion penalty in (13) and to the updates in its neighborhood: such a value may return to [0, 1] thanks to the smoothing operation.

Experiments
Our experiments focus on the white-box setting, where the defender first exhibits a network, and then the attacker  mounts an attack specific to this network; but we also investigate a transferability scenario.All attacks are untargetted, as defined by loss function (3).

Evaluation protocol
We evaluate the strength of an attack by two global statistics and by an operating characteristic curve.Given a test image set of N images, we only consider its subset X of N images that are classified correctly without any attack.The accuracy of the classifier is N/N .Let X suc be the subset The global statistics are the success probability P suc and expected distortion D as defined in section 2, estimated by with the exception that D here is the conditional average distortion, where conditioning is on success.Indeed, distortion makes no sense for a failure.
If D max = max xo∈Xsuc D(x o ) is the maximum distortion, the operating characteristic function P : [0, D max ] → [0, 1] measures the probability of success as a function of a given upper bound D on distortion.For D ∈ [0, D max ], This function increases from P(0) = 0 to P(D max ) = P suc .
It is difficult to define a fair comparison of distortion targeting attacks to optimality targeting attacks.For the first family, we run a given attack several times over the test set with different target distortion .The attack succeeds on image x o ∈ X if it succeeds on any of the runs.For x o ∈ X suc , the distortion D(x o ) is the minimum distortion over all runs.All statistics are then evaluated as above.

Datasets, networks, and attacks
MNIST [19].We consider a simple convolutional network with three convolutional layers and one fully connected layer that we denote as C4, giving accuracy 0.99.In detail, the first convolutional layer has 64 features, kernel of size 8 and stride 2; the second layer has 128 features, kernel of size 6 and stride 2; the third has also 128 features, but kernel of size 5 and stride 1.

White box scenario
The global statistics P suc , D are shown in Table 1.Operating characteristics over MNIST and ImageNet are shown in Figures 2 and 3 respectively.
We observe that our sC&W, with the proper integration via a latent variable (18), improves a lot the original C&W in terms of distortion, while keeping the probability of success roughly the same.This is surprising.We would expect a price to be paid for a better invisibility as the smoothing is adding an extra constraint on the perturbation.All results clearly show the opposite.On the contrary, the 'quick and dirty' integration (12) dramatically spoils sPGD 2 with big distortion especially on MNIST.This reveals that attacks behave in different ways under the new constraint.
We further observe that PGD 2 outperforms by a vast margin C&W, which is supposed to be close to optimality.This may be due in part to how the Adam optimizer treats L 2 norm penalties as studied in [21].C&W internally optimizes its parameter c = 1/λ independently per image, while for PGD 2 we externally try a small set of target distortions D on the entire dataset.This is visible in Fig. 2, where the operating characteristic is piecewise constant.This interesting finding is a result of our new evaluation protocol.Our comparison is fair, given that C&W is more expensive.
As already observed in the literature, ResnetV2 is more robust than InceptionV3: the operating characteristic curves are shifted to the right and increase at a slower rate.
To further understand the different behavior of C&W and PGD 2 under smoothness, Figures 5 and 4 show MNIST and ImageNet examples respectively, focusing on worst cases.Both sPGD 2 and sC&W produce smooth perturbations that look more natural.However, smoothing of sPGD 2 is more aggressive especially on MNIST, as these images contain flat black or white areas.The perturbation update ŝα (g) is then weakly correlated with gradient g, which is not efficient to lower the classification loss.In natural images, except for worst cases like Fig 4(c), the perturbation of sC&W is totally invisible.The reason is the 'phantom' of the original that is revealed when the perturbation is isolated.
Table 2 shows interesting results.As expected, FGSM is defeated in all cases, while average distortion of all attacks is increased in general.What is unexpected is that on MNIST, sC&W remains successful while the probability of C&W drops.On ImageNet on the other hand, it is the probability of the smooth versions sPGD 2 and sC&W that drops.I-FGSM is also defeated in this case, in the sense that average distortion increases too much.

Transferability
This section investigates the transferability of the attacks under the following scenario: the attacker has now a partial knowledge about the network.For instance, he/she knows that the defender chose a variant of InceptionV3, but this   variant is not public so he/she attacks InceptionV3 instead.Also, this time he/she is not allowed to test different distor-tion targets.The results are shown in Table 3.
The first variant uses a bilateral filter (with standard deviation 0.5 and 0.2 in the domain and range kernel respectively; cf .appendix A) before feeding the network.This does not really prevent the attacks.PGD 2 remains a very powerful attack if the distortion is large enough.Smoothing does not improve the statistics but the perturbations are less visible.The second variant uses the adversarially trained InceptionV3, which is, on the contrary, a very efficient counter-measure under this scenario.

Conclusion
Smoothing helps mask the adversarial perturbation, when it is 'like' the input image.It allows the attacker to delude more robust networks thanks to larger distortions while still being invisible.However, its impact on transferability is mitigated.While clearly not every attack is improved by such smoothing, which was not our objective, it is impressive how sC&W improves upon C&W in terms of distortion and imperceptibility at the same time.
The question raised in the introduction is still open: Fig. 1 shows that a human does not make the difference between the input image and its adversarial example even with magnification.This does not prove that an algorithm will not detect some statistical evidence.

A. Adversarial magnification
Given a single-channel image x : Ω → R as input, its adversarial magnification mag(x) : Ω → R is defined as the following local normalization operation mag(x) := x − µ x (x) βσ x (x) + (1 − β)σ Ω (x) , where µ x (x) and σ x (x) are the local mean and standard deviation of x respectively, and σ Ω (x) ∈ R + is the global standard deviation of x over Ω. Parameter β ∈ [0, 1] determines how much local variation is magnified in x.
In our implementation, µ x (x) = b(x), the bilateral filtering of x [35].It applies a local kernel at each point p ∈ Ω that is the product of a domain and a range Gaussian kernel.The domain kernel measures the geometric proximity of every point q ∈ Ω to p as a function of p − q and the range kernel measures the photometric similarity of every point q ∈ Ω to p as a function |x(p) − x(q)|.On the other hand, σ x (x) = b x ((x − µ x (x)) 2 ) −1/2 , where b x is a guided version of the bilateral filter, where it is the reference image x rather than (x − µ x (x)) 2 that is used in the range kernel.
When x : Ω → R d is a d-channel image, we apply all the filters independently per channel, but photometric similarity is just one scalar per point as a function of the Euclidean distance x(p) − x(q) measured over all d channels.
In Fig. 1, β = 0.8.The standard deviation of both the domain and range Gaussian kernels is 5.

Figure 4 .
Figure 4. Original image xo (left), adversarial image xa = xo + r (above) and scaled perturbation r (below; distortion D = r ) against InceptionV3 on ImageNet.Scaling maps each perturbation and each color channel independently to [0, 1].The perturbation r is indeed smooth like xo for sC&W.(a) Despite the higher distortion compared to C&W, the perturbation of sC&W is totally invisible, even when magnified (cf .Fig. 1).(b) One of the failing examples of [10] that look unnatural to human vision.(c) One of the examples with the strongest distortion over ImageNet for sC&W: xo is flat along stripes, reducing the dimensionality of the 'smooth like xo' manifold.

Figure 5 .
Figure 5.For a given attack (denoted by * and bold typeface), the adversarial image with the strongest distortion D over MNIST.In green, the attack succeeds; in red, it fails.

Table 1 .
Success probability Psuc and average L2 distortion D.

Table 2 .
Success probability and average L2 distortion D when attacking networks adversarially trained against FGSM.

Table 3 .
Success probability and average L2 distortion D of attacks on variants of InceptionV3 under transferability.