An extreme attack base on the paper "One pixel attack for fooling deep neural networks".
- Our results:
-
- One-pixel-attack results:
-
- Our adversarial pixel is harder or even impossible to find.
- Objective:
- $$ L = e^{\gamma(C-1)} + \Delta $$, a soft manner.
- where C stands for real class label,
$\Delta$ stands for the difference between the pixel before and after attack. -
$\gamma$ is a threshold to control the exponential growth rate.
- YUV color space:
- https://en.wikipedia.org/wiki/YUV
- The different
$\Delta$ is calculated on YUV space instead of RGB space.
- Run on cifar10.
- Run on basic leNet and ResNet.
- Regulation on
$\Delta$ . - Run on more models.
- Run on imageNet.