What if Adversarial Samples were Digital Images
B. Bonnet, T. Furon, P. Bas
Code Available — Be the first to reproduce this paper.
ReproduceCode
Abstract
Abstract : Although adversarial sampling is a trendy topic in computer vision , very few works consider the integral constraint: The result of the attack is a digital image whose pixel values are integers. This is not an issue at first sight since applying a rounding after forging an adversarial sample trivially does the job. Yet, this paper shows theoretically and experimentally that this operation has a big impact. The adversarial perturbations are fragile signals whose quantization destroys its ability to delude an image classifier. This paper presents a new quantization mechanism which preserves the adversariality of the perturbation. Its application outcomes to a new look at the lessons learnt in adversarial sampling