Towards Benchmarking and Assessing Visual Naturalness of Physical World Adversarial Attacks

Physical world adversarial attack is a highly practical and threatening attack, which fools real world deep learning systems by generating conspicuous and maliciously crafted real world artifacts. In physical world attacks, evaluating naturalness is highly emphasized since human can easily detect and remove unnatural attacks. However, current studies evaluate naturalness in a case-by-case fashion, which suffers from errors, bias and inconsistencies. In this paper, we take the first step to benchmark and assess visual naturalness of physical world attacks, taking autonomous driving scenario as the first attempt. First, to benchmark attack naturalness, we contribute the first Physical Attack Naturalness (PAN) dataset with human rating and gaze. PAN verifies several insights for the first time: naturalness is (disparately) affected by contextual features (i.e., environmental and semantic variations) and correlates with behavioral feature (i.e., gaze signal). Second, to automatically assess attack naturalness that aligns with human ratings, we further introduce Dual Prior Alignment (DPA) network, which aims to embed human knowledge into model reasoning process. Specifically, DPA imitates human reasoning in naturalness assessment by rating prior alignment and mimics human gaze behavior by attentive prior alignment. We hope our work fosters researches to improve and automatically assess naturalness of physical world attacks. Our code and dataset can be found at https://github.com/zhangsn-19/PAN.

[1]  Xianglong Liu,et al.  X-Adv: Physical Adversarial Object Attacks against X-ray Prohibited Item Detection , 2023, USENIX Security Symposium.

[2]  Shu Shi,et al.  MANIQA: Multi-dimension Attention Network for No-Reference Image Quality Assessment , 2022, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW).

[3]  Linlin Shen,et al.  Frequency-driven Imperceptible Adversarial Attack on Semantic Similarity , 2022, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[4]  Xiaolin Hu,et al.  Adversarial Texture for Fooling Person Detectors in the Physical World , 2022, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[5]  Junmin Liu,et al.  Efficient and Model-Based Infrared and Visible Image Fusion via Algorithm Unrolling , 2022, IEEE Transactions on Circuits and Systems for Video Technology.

[6]  Bao Gia Doan,et al.  TnT Attacks! Universal Naturalistic Adversarial Patches Against Deep Neural Network Systems , 2021, IEEE Transactions on Information Forensics and Security.

[7]  Yan Wang,et al.  RobustART: Benchmarking Robustness on Architecture Design and Training Techniques , 2021, ArXiv.

[8]  Jonas Geiping,et al.  Adversarial Examples Make Strong Poisons , 2021, NeurIPS.

[9]  Jiangshe Zhang,et al.  Discrete Cosine Transform Network for Guided Depth Map Super-Resolution , 2021, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[10]  Xianglong Liu,et al.  Dual Attention Suppression Attack: Generate Adversarial Camouflage in Physical World , 2021, 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[11]  Xianglong Liu,et al.  A Comprehensive Evaluation Framework for Deep Model Robustness , 2021, Pattern Recognit..

[12]  Micah Goldblum,et al.  LowKey: Leveraging Adversarial Attacks to Protect Social Media Users from Facial Recognition , 2021, ICLR.

[13]  D. Ballard,et al.  Human Gaze Assisted Artificial Intelligence: A Review , 2020, IJCAI.

[14]  Sahil Singla,et al.  Perceptual Adversarial Robustness: Defense Against Unseen Threat Models , 2020, ICLR.

[15]  Yu Zhu,et al.  Blindly Assess Image Quality in the Wild Guided by a Self-Adaptive Hyper Network , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[16]  Xinyun Chen,et al.  Spatiotemporal Attacks for Embodied Agents , 2020, ECCV.

[17]  Xianglong Liu,et al.  Bias-Based Universal Adversarial Patch Attack for Automatic Check-Out , 2020, ECCV.

[18]  Guangtao Zhai,et al.  Perceptual image quality assessment: a survey , 2020, Science China Information Sciences.

[19]  Shiqi Wang,et al.  Image Quality Assessment: Unifying Structure and Texture Similarity , 2020, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[20]  Guangming Shi,et al.  MetaIQA: Deep Meta-Learning for No-Reference Image Quality Assessment , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[21]  Jiangshe Zhang,et al.  DIDFuse: Deep Image Decomposition for Infrared and Visible Image Fusion , 2020, IJCAI.

[22]  Fang Wen,et al.  GIQA: Generated Image Quality Assessment , 2020, ECCV.

[23]  James Bailey,et al.  Adversarial Camouflage: Hiding Physical-World Attacks With Natural Styles , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[24]  Praful Gupta,et al.  From Patches to Pictures (PaQ-2-PiQ): Mapping the Perceptual Space of Picture Quality , 2019, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[25]  M. Larson,et al.  Towards Large Yet Imperceptible Adversarial Image Perturbations With Perceptual Color Distance , 2019, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[26]  Quanfu Fan,et al.  Adversarial T-Shirt! Evading Person Detectors in a Physical World , 2019, ECCV.

[27]  Dietmar Saupe,et al.  KonIQ-10k: An Ecologically Valid Database for Deep Learning of Blind Image Quality Assessment , 2019, IEEE Transactions on Image Processing.

[28]  Qiang Liu,et al.  Training Robust Deep Neural Networks via Adversarial Noise Propagation , 2019, IEEE Transactions on Image Processing.

[29]  Xianglong Liu,et al.  Interpreting and Improving Adversarial Robustness with Neuron Sensitivity , 2019, ArXiv.

[30]  Cihang Xie,et al.  Universal Physical Camouflage Attacks on Object Detectors , 2019, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[31]  Dacheng Tao,et al.  Perceptual-Sensitive GAN for Generating Adversarial Patches , 2019, AAAI.

[32]  Zhou Wang,et al.  Blind Image Quality Assessment Using a Deep Bilinear Convolutional Neural Network , 2019, IEEE Transactions on Circuits and Systems for Video Technology.

[33]  Jaakko Lehtinen,et al.  E-LPIPS: Robust Perceptual Image Similarity via Random Transformation Ensembles , 2019, ArXiv.

[34]  Vlad Hosu,et al.  KADID-10k: A Large-scale Artificially Distorted IQA Database , 2019, 2019 Eleventh International Conference on Quality of Multimedia Experience (QoMEX).

[35]  Aleksander Madry,et al.  Adversarial Examples Are Not Bugs, They Are Features , 2019, NeurIPS.

[36]  Toon Goedemé,et al.  Fooling Automated Surveillance Cameras: Adversarial Patches to Attack Person Detection , 2019, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW).

[37]  Bo Li,et al.  MeshAdv: Adversarial Meshes for Visual Recognition , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[38]  Hassan Foroosh,et al.  CAMOU: Learning Physical Vehicle Camouflages to Adversarially Attack Detectors in the Wild , 2018, ICLR.

[39]  Dawn Song,et al.  Physical Adversarial Examples for Object Detectors , 2018, WOOT @ USENIX Security Symposium.

[40]  Hong Cai,et al.  PieAPP: Perceptual Image-Error Assessment Through Pairwise Preference , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[41]  Atul Prakash,et al.  Robust Physical-World Attacks on Deep Learning Visual Classification , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[42]  Alexei A. Efros,et al.  The Unreasonable Effectiveness of Deep Features as a Perceptual Metric , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[43]  Lujo Bauer,et al.  A General Framework for Adversarial Examples with Objectives , 2017, ACM Trans. Priv. Secur..

[44]  Leon A. Gatys,et al.  Guiding human gaze with convolutional neural networks , 2017, ArXiv.

[45]  Anirban Sarkar,et al.  Grad-CAM++: Generalized Gradient-Based Visual Explanations for Deep Convolutional Networks , 2017, 2018 IEEE Winter Conference on Applications of Computer Vision (WACV).

[46]  V. Koltun,et al.  CARLA: An Open Urban Driving Simulator , 2017, CoRL.

[47]  Joost van de Weijer,et al.  RankIQA: Learning from Rankings for No-Reference Image Quality Assessment , 2017, 2017 IEEE International Conference on Computer Vision (ICCV).

[48]  Logan Engstrom,et al.  Synthesizing Robust Adversarial Examples , 2017, ICML.

[49]  Wei Zhang,et al.  Learning picture quality from visual distraction: Psychophysical studies and computational models , 2017, Neurocomputing.

[50]  Praful Gupta,et al.  SpEED-QA: Spatial Efficient Entropic Differencing for Image and Video Quality , 2017, IEEE Signal Processing Letters.

[51]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[52]  Wei Zhang,et al.  Toward a Reliable Collection of Eye-Tracking Data for Image Quality Research: Challenges, Solutions, and Applications , 2017, IEEE Transactions on Image Processing.

[53]  Andreas Geiger,et al.  Computer Vision for Autonomous Vehicles: Problems, Datasets and State-of-the-Art , 2017, Found. Trends Comput. Graph. Vis..

[54]  Sebastian Bosse,et al.  Deep Neural Networks for No-Reference and Full-Reference Image Quality Assessment , 2016, IEEE Transactions on Image Processing.

[55]  Lujo Bauer,et al.  Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition , 2016, CCS.

[56]  Abhishek Das,et al.  Grad-CAM: Visual Explanations from Deep Networks via Gradient-Based Localization , 2016, 2017 IEEE International Conference on Computer Vision (ICCV).

[57]  David A. Wagner,et al.  Towards Evaluating the Robustness of Neural Networks , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[58]  Samy Bengio,et al.  Adversarial examples in the physical world , 2016, ICLR.

[59]  Bolei Zhou,et al.  Learning Deep Features for Discriminative Localization , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[60]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[61]  Alan C. Bovik,et al.  Massive Online Crowdsourced Study of Subjective and Objective Picture Quality , 2015, IEEE Transactions on Image Processing.

[62]  Jimmy Ba,et al.  Adam: A Method for Stochastic Optimization , 2014, ICLR.

[63]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[64]  Hongyu Li,et al.  VSI: A Visual Saliency-Induced Index for Perceptual Image Quality Assessment , 2014, IEEE Transactions on Image Processing.

[65]  Xiongkuo Min,et al.  Visual attention data for image quality assessment databases , 2014, 2014 IEEE International Symposium on Circuits and Systems (ISCAS).

[66]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[67]  Judith Redi,et al.  Studying the effect of optimizing image quality in salient regions at the expense of background content , 2013, J. Electronic Imaging.

[68]  Ingrid Heynderickx,et al.  How Does Image Content Affect the Added Value of Visual Attention in Objective Image Quality Assessment? , 2013, IEEE Signal Processing Letters.

[69]  Alan C. Bovik,et al.  No-Reference Image Quality Assessment in the Spatial Domain , 2012, IEEE Transactions on Image Processing.

[70]  Abdul Rehman,et al.  Reduced-Reference Image Quality Assessment by Structural Similarity Estimation , 2012, IEEE Transactions on Image Processing.

[71]  Ingrid Heynderickx,et al.  Visual Attention in Objective Image Quality Assessment: Based on Eye-Tracking Data , 2011, IEEE Transactions on Circuits and Systems for Video Technology.

[72]  Judith Redi,et al.  Interactions of visual attention and quality perception , 2011, Electronic Imaging.

[73]  Judith Redi,et al.  Color Distribution Information for the Reduced-Reference Assessment of Perceived Image Quality , 2010, IEEE Transactions on Circuits and Systems for Video Technology.

[74]  Ingrid Heynderickx,et al.  Studying the added value of visual attention in objective image quality metrics based on eye movement data , 2009, 2009 16th IEEE International Conference on Image Processing (ICIP).

[75]  Anthony J. Maeder,et al.  Visual attention modelling for subjective image quality databases , 2009, 2009 IEEE International Workshop on Multimedia Signal Processing.

[76]  Alan C. Bovik,et al.  A Statistical Evaluation of Recent Full Reference Image Quality Assessment Algorithms , 2006, IEEE Transactions on Image Processing.

[77]  Zhou Wang,et al.  Quality-aware images , 2006, IEEE Transactions on Image Processing.

[78]  Margaret H. Pinson,et al.  A new standardized method for objectively measuring video quality , 2004, IEEE Transactions on Broadcasting.

[79]  Nikolay N. Ponomarenko,et al.  Image database TID2013: Peculiarities, results and perspectives , 2015, Signal Process. Image Commun..

[80]  Eric C. Larson,et al.  Most apparent distortion: full-reference image quality assessment and the role of strategy , 2010, J. Electronic Imaging.

[81]  Nikolay N. Ponomarenko,et al.  TID2008 – A database for evaluation of full-reference visual quality assessment metrics , 2004 .