Skip to main content
SpringerLink
Log in

A Proof of Concept to Deceive Humans and Machines at Image Classification with Evolutionary Algorithms

  • Conference paper
  • First Online:
Intelligent Information and Database Systems (ACIIDS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 12034))

Included in the following conference series:

Abstract

The range of applications of Neural Networks encompasses image classification. However, Neural Networks are exposed to vulnerabilities, and may misclassify adversarial images, leading to potentially disastrous consequences. We give here a proof of concept of a black-box, targeted, non-parametric attack using evolutionary algorithms to fool both neural networks and humans at the task of image classification. Our feasibility study is performed on VGG-16 trained on CIFAR-10. Given two categories \(c_i \ne c_t\) of CIFAR-10, and an original image classified by VGG-16 as belonging to \(c_i\), we evolve this original image to a modified image that will be classified by VGG-16 as belonging to \(c_t\), although a human would still likely classify the modified image as belonging to \(c_i\).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Akhtar, N., Mian, A.: Threat of adversarial attacks on deep learning in computer vision: a survey. CoRR abs/1801.00553 (2018). http://arxiv.org/abs/1801.00553

  2. Bernard, N., Leprévost, F.: Evolutionary algorithms for convolutional neural network visualisation. In: Meneses, E., Castro, H., Barrios Hernández, C.J., Ramos-Pollan, R. (eds.) CARLA 2018. CCIS, vol. 979, pp. 18–32. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-16205-4_2

    Chapter  Google Scholar 

  3. Bernard, N., Leprévost, F.: How evolutionary algorithms and information hiding deceive machines and humans for image recognition: a research program. In: Proceedings of the OLA 2019 International Conference on Optimization and Learning, Bangkok, Thailand, 29–31 January 2019, pp. 12–15 (2019)

    Google Scholar 

  4. Chitic, R., Bernard, N., Leprévost, F.: Experimental evidence of neural networks being fooled by evolved images. Work in Progress (2019–2020)

    Google Scholar 

  5. Chollet, F.: Keras. GitHub code repository (2015–2018). https://github.com/fchollet/keras

  6. Deng, J., Dong, W., Socher, R., Li, L.J., Li, K., Fei-Fei, L.: The imagenet image database (2009). http://image-net.org

  7. Fawzi, A., Fawzi, H., Fawzi, O.: Adversarial vulnerability for any classifier. CoRR abs/1802.08686 (2018). http://arxiv.org/abs/1802.08686

  8. Fawzi, A., Moosavi-Dezfooli, S., Frossard, P.: Robustness of classifiers: from adversarial to random noise. In: Lee, D.D., Sugiyama, M., von Luxburg, U., Guyon, I., Garnett, R. (eds.) Advances in Neural Information Processing Systems 29: Annual Conference on Neural Information Processing Systems 2016, Barcelona, Spain, 5–10 December 2016, pp. 1624–1632 (2016). http://papers.nips.cc/paper/6331-robustness-of-classifiers-from-adversarial-to-random-noise

  9. Geifman, Y.: cifar-vgg (2018). https://github.com/geifmany/cifar-vgg

  10. Geirhos, R., Rubisch, P., Michaelis, C., Bethge, M., Wichmann, F.A., Brendel, W.: Imagenet-trained CNNs are biased towards texture; increasing shape bias improves accuracy and robustness. In: International Conference on Learning Representations (2019). https://openreview.net/forum?id=Bygh9j09KX

  11. Goodfellow, I., Bengio, Y., Courville, A.: Deep Learning. MIT Press, Cambridge (2016). http://www.deeplearningbook.org

    MATH  Google Scholar 

  12. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples (2014). arXiv preprint arXiv:1412.6572

  13. De Jong, K.A.: Evolutionary Computation: A Unified Approach. A Bradford Book. MIT Press, Cambridge (2006)

    Google Scholar 

  14. Krizhevsky, A., Nair, V., Hinton, G.: The CIFAR datasets (2009). https://www.cs.toronto.edu/~kriz/cifar.html

  15. Kullback, S., Leibler, R.: On information and sufficiency. Ann. Math. Stat. 22, 79–86 (1951)

    Article  MathSciNet  Google Scholar 

  16. Li, X., Chen, Y., He, Y., Xue, H.: AdvKnn: adversarial attacks on \(k\)-nearest neighbor classifiers with approximate gradients. CoRR abs/1906.06591 (2019). http://arxiv.org/abs/1906.06591

  17. Moosavi Dezfooli, S.M., Alhussein, F., Pascal, F.: DeepFool: a simple and accurate method to fool deep neural networks. In: Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition, pp. 2574–2582. IEEE (2016)

    Google Scholar 

  18. Nguyen, A., Yosinski, J., Clune, J.: Deep neural networks are easily fooled: high confidence predictions for unrecognizable images. In: Proceedings of the 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 427–436 (2015)

    Google Scholar 

  19. Oliphant, T.E.: A Guide to NumPy. Trelgol Publishing, New York (2006)

    Google Scholar 

  20. Papernot, N., McDaniel, P., Wu, X., Jha, S., Swami, A.: Distillation as a defense to adversarial perturbations against deep neural networks. In: Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP), pp. 582–597. IEEE (2016)

    Google Scholar 

  21. Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z.B., Swami, A.: Practical black-box attacks against machine learning. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 506–519. ACM (2017). https://doi.org/10.1145/3052973.3053009

  22. Shafahi, A., Huang, W.R., Studer, C., Feizi, S., Goldstein, T.: Are adversarial examples inevitable? CoRR abs/1809.02104 (2018). http://arxiv.org/abs/1809.02104

  23. Shamir, A., Safran, I., Ronen, E., Dunkelman, O.: A simple explanation for the existence of adversarial examples with small hamming distance. CoRR abs/1901.10861 (2019). http://arxiv.org/abs/1901.10861

  24. Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. CoRR abs/1409.1556 (2014). http://arxiv.org/abs/1409.1556

  25. Su, J., Vargas, D.V., Sakurai, K.: One pixel attack for fooling deep neural networks. CoRR abs/1710.08864 (2017)

    Google Scholar 

  26. Szegedy, C., et al.: Going deeper with convolutions. arXiv 1409.4842 (2014). https://arxiv.org/pdf/1409.4842.pdf

  27. Szegedy, C., et al.: Intriguing properties of neural networks (2013). arXiv:1312.6199

  28. Taigman, Y., Yang, M., Ranzato, M., Wolf, L.: Deepface: closing the gap to human-level performance in face verification. In: Proceedings of the 2014 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 1701–1708. IEEE (2014)

    Google Scholar 

  29. Tramèr, F., Zhang, F., Juels, A., Reiter, M.K., Ristenpart, T.: Stealing machine learning models via prediction APIS. In: Proceedings of the 25th USENIX Security Symposium Austin, TX, USA, 10–12 August 2016, pp. 601–618. USENIX (2016)

    Google Scholar 

  30. Varrette, S., Bouvry, P., Cartiaux, H., Georgatos, F.: Management of an academic HPC cluster: the UL experience. In: Proceedings of the 2014 International Conference on High Performance Computing & Simulation (HPCS 2014), pp. 959–967. IEEE, Bologna, July 2014. https://hpc.uni.lu

  31. van der Walt, S., et al.: scikit-image: image processing in Python. PeerJ 2, e453 (2014). https://doi.org/10.7717/peerj.453

    Article  Google Scholar 

  32. Wang, Z., Bovik, A.C., Sheikh, H.R., Simoncelli, E.P.: Image quality assessment: from error visibility to structural similarity. IEEE Trans. Image Process. 13(4), 600–612 (2004)

    Article  Google Scholar 

  33. Yang, Y., Rashtchian, C., Wang, Y., Chaudhuri, K.: Adversarial examples for non-parametric methods: attacks, defenses and large sample limits. CoRR abs/1906.03310 (2019). http://arxiv.org/abs/1906.03310

  34. Yu, X., Gen, M.: Introduction to Evolutionary Algorithms. Springer, Heidelberg (2010). https://doi.org/10.1007/978-1-84996-129-5

    Book  MATH  Google Scholar 

  35. Zhou, X., Ma, T., Zhang, H.: Explaining adversarial examples with knowledge representation (2019). https://openreview.net/forum?id=BylRVjC9K7

Download references

Author information

Authors and Affiliations

  1. University of Luxembourg, House of Numbers, 6, avenue de la Fonte, 4364, Esch-sur-Alzette, Grand Duchy of Luxembourg

    Raluca Chitic, Nicolas Bernard & Franck Leprévost

Authors
  1. Raluca Chitic
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nicolas Bernard
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Franck Leprévost
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Raluca Chitic .

Editor information

Editors and Affiliations

  1. Department of Applied Informatics, Wrocław University of Science and Technology, Wrocław, Poland

    Ngoc Thanh Nguyen

  2. King Mongkut’s Institute of Technology Ladkrabang, Bangkok, Thailand

    Kietikul Jearanaitanakij

  3. Faculty of Computer Science and Information, University Teknologi Malaysia, Kuala Lumpur, Malaysia

    Ali Selamat

  4. Department of Applied Informatics, Wrocław University of Science and Technology, Wrocław, Poland

    Bogdan Trawiński

  5. King Mongkut’s Institute of Technology Ladkrabang, Bangkok, Thailand

    Suphamit Chittayasothorn

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chitic, R., Bernard, N., Leprévost, F. (2020). A Proof of Concept to Deceive Humans and Machines at Image Classification with Evolutionary Algorithms. In: Nguyen, N., Jearanaitanakij, K., Selamat, A., Trawiński, B., Chittayasothorn, S. (eds) Intelligent Information and Database Systems. ACIIDS 2020. Lecture Notes in Computer Science(), vol 12034. Springer, Cham. https://doi.org/10.1007/978-3-030-42058-1_39

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-42058-1_39

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-42057-4

  • Online ISBN: 978-3-030-42058-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation