Black box phase-based adversarial attacks on image classifiers

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We propose a new method of utilizing a spatial light modulator to generate adversarial examples against image classifiers within a black box scenario. The method incorporates a simple-shape-focused strategy that queries the target network and estimates the effect of perturbing specific regions of the Fourier plane. This work is an extension of previous work that uses a spatial light modulator to perturb the phase of incoming light to generate adversarial patterns using l2-norm optimization. Our new method simply uses the final logits of the target network, allowing for it to be used not only in “white box” scenarios but also in the information-constrained “black box” scenarios. Our shape-based algorithm is shown to be widely effective on the original dataset benchmark without the requirement of knowledge about the target network architecture. Our experiments explore how manipulating the size, shape, number, and magnitude of the regions tested affects the efficacy and pattern cycles needed to generate a successful attack. Different combinations showed a range of average efficacy between 32% and 63% under a consistent objective function. Our new method also proved to be effective on a smaller dataset (meaning fewer classes for classification to be misdirected towards). We validate our method using a physical setup.

Original languageEnglish (US)
Title of host publicationAutomatic Target Recognition XXXIV
EditorsKenny Chen, Riad I. Hammoud, Timothy L. Overman
PublisherSPIE
ISBN (Electronic)9781510673960
DOIs
StatePublished - 2024
EventAutomatic Target Recognition XXXIV 2024 - National Harbor, United States
Duration: Apr 21 2024Apr 25 2024

Publication series

NameProceedings of SPIE - The International Society for Optical Engineering
Volume13039
ISSN (Print)0277-786X
ISSN (Electronic)1996-756X

Conference

ConferenceAutomatic Target Recognition XXXIV 2024
Country/TerritoryUnited States
CityNational Harbor
Period4/21/244/25/24

All Science Journal Classification (ASJC) codes

  • Electronic, Optical and Magnetic Materials
  • Condensed Matter Physics
  • Computer Science Applications
  • Applied Mathematics
  • Electrical and Electronic Engineering

Fingerprint

Dive into the research topics of 'Black box phase-based adversarial attacks on image classifiers'. Together they form a unique fingerprint.

Cite this