On Generating JPEG Adversarial Images

Adversarial attacks slightly perturb the original image to fool deep neural networks (DNN). Various schemes have been proposed to generate uncompressed adversarial images, which are usually ineffective after being compressed during the transmission. In this paper, we propose to generate JPEG adversarial images directly from the DNN. Two adversarial rounding schemes, including fast rounding and iterative rounding, are proposed to produce quantized DCT coefficients of JPEG adversarial images. Both schemes use the gradients of adversarial images in the DCT domain to guide the rounding. In fast rounding, we propose a novel indicator to evaluate the importance of the DCT coefficients for adversarial attacks, where only those with high importance are adversarially rounded to reduce the distortion. In iterative rounding, we additionally incorporate a loss function to mea-sure the distortion caused by adversarial rounding. The experiments show that our schemes can obtain effective JPEG adversarial images with low distortion.