• #ACL2021NLP #ACL2021 Please check our group’s recent publication at the main conference of @aclmeeting. We uncovered a compositional generalization problem existing in NMT models and contributed a new dataset. Contributed by Yafu Li, Yongjing Yin, Yulong Chen, Yue Zhang.

  • Prof Yue Zhang leads the #NLP lab at Westlake University @Westlake_Uni. Our group focuses on machine learning-based natural language processing, as well as application-oriented tasks, such as web information extraction and financial market prediction. Welcome to join us!

  • #NLProc #ACL2021 G-Transformer for Document-level Machine Translation Paper:arxiv.org/abs/2105.14761 Code:github.com/baoguangsheng/ Our @aclmeeting paper at the main conference introduces locality bias to fix the failure of Transformer training on document-level MT data.

Light Lies: Optical Adversarial Attack

论文 Deep Talk 1周前 (07-22) 14次浏览 已收录 0个评论 扫描二维码

Light Lies: Optical Adversarial Attack



Kyulim Kim



&JeongSoo Kim



&Seungri Song1



&Jun-Ho Choi



&Chulmin Joo1



&Jong-Seok Lee23

Department of Artificial Intelligence, Yonsei University, South KoreaDepartment of Mechanical Engineering, Yonsei University, South KoreaSchool of Integrated Technology, Yonsei University, South Korea
2footnotemark: 2
1footnotemark: 1
3footnotemark: 3
Abstract

A significant amount of work has been done on adversarial attacks that inject imperceptible noise to images to deteriorate the image classification performance of deep models. However, most of the existing studies consider attacks in the digital (pixel) domain where an image acquired by an image sensor with sampling and quantization has been recorded. This paper, for the first time, introduces an optical adversarial attack, which physically alters the light field information arriving at the image sensor so that the classification model yields misclassification. More specifically, we modulate the phase of the light in the Fourier domain using a spatial light modulator placed in the photographic system. The operative parameters of the modulator are obtained by gradient-based optimization to maximize cross-entropy and minimize distortions. We present experiments based on both simulation and a real hardware optical system, from which the feasibility of the proposed optical attack is demonstrated. It is also verified that the proposed attack is completely different from common optical-domain distortions such as spherical aberration, defocus, and astigmatism in terms of both perturbation patterns and classification results.

1 Introduction

It is well known that injecting small perturbations to input data can significantly degrade the performance of deep neural networks, called adversarial attacks.
Because such attacks raise security concerns of deep learning-based applications, many researchers have studied the impact of the adversarial attacks on various deep models, especially for image classification models Goodfellow et al. (2015); Su et al. (2018).

Most existing studies focus on finding adversarial examples in the digital domain, i.e., altering the pixel values of digital images.
Another possibility is that an attack is applied to the target object in the physical domain.
For this, a few studies demonstrate the efficacy of adversarial examples found in the digital domain when they are implemented in the physical domain, e.g., printed objects Kurakin et al. (2017b); Athalye et al. (2018).
Such applicability of adversarial examples on real objects raises more severe security concerns in various practical applications (e.g., autonomous vehicle system Nassi et al. (2019), person detector Xu et al. (2020)).

Orthogonal to these attempts, this paper introduces an optical adversarial attack by considering a new layer between real objects and digital images for implementing adversarial attacks, i.e., the optical system acquiring the light field information from the target object in the physical world and converting it to the image in the digital domain.
The idea is to modulate the phase of the light information in the Fourier domain using a device called spatial light modulator (SLM).
Spatially varying phase modulations are found by optimizing an objective function to minimize image distortion and maximize the cross-entropy, which are realized by the SLM in the optical system.
The change in the digital image obtained by the image sensor due to the phase modulations is hardly perceptible, but can significantly deteriorate the performance of the image classification model.

The main contribution of our work can be summarized as follows.

  • We propose an optical adversarial attack that is implemented in the optical system, which deteriorates the performance of the deep models performing classification using the images acquired from the optical system (Section 3).

  • We show the feasibility of our optical adversarial attack by conducting experiments on a simulated optical system for various images from the ImageNet dataset (Section 4).
    It is shown that the attacked optical system produces output images that have similar quality as the original outputs but fool the subsequent image classification models.

  • We conduct real experiments on an actual system implementing our attack to demonstrate the feasibility of the proposed idea in the real world (Section 5).
    Our attack is also compared to common optical-domain phase distortions such as spherical aberration, defocus, and astigmatism, which verifies the significant superiority of our method as an attack.

Our work has two important implications.
First, our work is the first to demonstrate the possibility of implementing adversarial attacks by altering the light information in the optical system.
The work in Li et al. (2019) proposes a physical attack by putting a sticker on the camera lens, but the attack occurs outside the optical system and, furthermore, physical intervention (i.e., putting a sticker) is required.
In contrast, our attack takes place inside the optical system, and is implemented without physical intervention by maliciously controlling the computer used as the controller of the SLM.
Second, we raise a new immediate vulnerability issue of practical systems where SLMs are employed, including biomedical imaging, holography, and optical encryption.
In such systems, our work shows that malicious attempts may be made not only by conventional attacks in the digital domain but also by optical attacks in the physical domain.

2 Related work

2.1 Adversarial attack

Various adversarial attack methods against image classification models have been developed.
Goodfellow et al. Goodfellow et al. (2015) proposed the fast gradient sign method (FGSM) that obtains a perturbation for a given image from the sign of the gradients of a target image classification model.
Kurakin et al. Kurakin et al. (2017a) extended FGSM to an iterative approach to find a more powerful perturbation, which is called I-FGSM.
Carlini and Wagner Carlini and Wagner (2017) developed an efficient attack method that finds a perturbation by minimizing the amount of deterioration and the distance of logits between the original predicted class label and the target label.

While the aforementioned methods focus on injecting a perturbation into a given digital image that will be directly inputted to a target image classification model, some researchers have also investigated adversarial examples that are applicable to physical objects.
Kurakin et al. Kurakin et al. (2017b) demonstrated the feasibility of finding adversarial examples that can fool the classification model even when the attacked images are printed and captured again using a phone camera.
Eykholt et al. Eykholt et al. (2019) showed that physically perturbing real objects such as road signs can attack image classification models.
Athalye et al. Athalye et al. (2018) further provided adversarial showcases with 3D-printed objects that can make the classification model misclassify the images taken in various viewpoints.

Previous research has focused on attacking images or objects themselves, and to the best of our knowledge, there is no approach that attacks optical systems acquiring images from real objects.

2.2 SLM-based optical system

An SLM is an computer-controlled active device used to modulate the amplitude, phase, or polarization of light waves in space and time.
Among several types of SLMs, liquid crystal on silicon (LCoS) SLMs are used in applications that call for phase modulations in optical systems such as lithography Jenness et al. (2008, 2010); Lowell et al. (2017), optical tweezer Reicherter et al. (1999); Kim et al. (2016); Hadad et al. (2018), turbulence simulation Burger et al. (2008); Phillips et al. (2005), and imaging Quirin et al. (2013); Wang et al. (2011); Situ et al. (2010); Jesacher et al. (2007); Warber et al. (2010); Mukherjee et al. (2019).

In Fourier optics, a lens is regarded as a Fourier transform engine.
That is, for a given object field in the front focal plane of the lens, its Fourier transform can be obtained in the back focal plane of the lens.
This plane is referred to as the Fourier plane, where one has access to the spatial frequency spectrum of the object field.
By placing an SLM in the Fourier plane, one can alter phase delay individually for each spatial frequency component, thus modifying the transfer function or image formation of an optical imaging system.
For example, it has been shown that the depth-of-field of optical imaging systems can be increased significantly by introducing cubic phase offset in the Fourier plane Quirin et al. (2013).
In addition, the phase modulation technology using SLMs has been used in phase imaging of thin biological specimens Wang et al. (2011); Situ et al. (2010) and aberration correction of optical systems Jesacher et al. (2007); Warber et al. (2010).
Various applications of SLMs for the pupil engineering can be referred to in the review paper Maurer et al. (2011).

A recent study by Kravets et al. Kravets et al. (2021) introduced a defense technique using an SLM to defend adversarial attacks applied in the digital domain.
On the other hand, we consider an optical adversarial attack, which is implemented using a phase SLM.

3 Proposed system



Light Lies: Optical Adversarial Attack

Figure 1: Overview of the proposed optical adversarial attack system. A phase modulation module consisting of a polarizer, relay lens, beam splitter, and SLM is implemented to the photography system. The unattacked image obtained without phase modulation and the attacked image obtained with adversarial phase modulation are acquired, respectively. When the acquired images are classified by the deep model, the unattacked image is classified correctly, but the attacked image is misclassified. CL: camera lens; P: polarizer; RL: relay lens; BS: beam splitter.

We set up an SLM-based optical system that consists of a camera lens, an SLM, and an image sensor, which is illustrated in Figure 1.
The image acquisition process is as follows.
First, a commercial camera lens (SP AF 60mm F/2 Di II Macro 1:1, Tamron) collects the object field and then generates the image at the intermediate image plane.
In order to achieve direct access to the Fourier plane, we construct a 4-f system using two lenses (RL, AC508-100-A, Thorlabs) to relay the information onto the image plane.
A phase-only SLM (HSP512, Meadowlark) is placed in the Fourier plane, i.e., the back focal plane of the first relay lens.
Since the SLM is polarization-dependent, a linear polarizer (LPVISC100, Thorlabs) is placed before the SLM.
The phase-modulated light via the SLM is then reflected by the beam splitter (BS031, Thorlabs), and the image in the image plane is captured by an image sensor (Flare 4M180-CL, IO Industries).

An obtained digital image is then inputted to a deep neural network that classifies an object in the image.
In this study, we consider three widely known models, namely, ResNet50 He et al. (2016), VGG16 Simonyan and Zisserman (2015), and MobileNetV3 Howard et al. (2019), which are pre-trained on the ImageNet dataset Russakovsky et al. (2015).

On this system architecture, our optical adversarial attack aims to find an adversarial perturbation that is displayed as an SLM pattern, which leads the classifier to misclassify the resulting image, while no significant visible differences are observed between the unattacked and attacked images.

3.1 Imaging model of SLM-based optical adversarial attack

Let be the intensity of an object.
The camera lens forms image at the intermediate image plane, and then the 4-f system relays this information onto the image plane (see Figure 1).
For an incoherent imaging system, the acquired image can be expressed as Goodman (2005)

(1)

where denotes the incoherent point spread function and represents 2D convolution. is equal to the squared magnitude of the coherent point spread function (i.e., ).
Note that is the Fourier transform of the pupil function .
In the Fourier domain, (1) can be written as

(2)

where is the modulation transfer function, and is the Fourier transform of .
Using convolution theorem, can be obtained as , where is the Fourier transform operator and represents 2D correlation.

We consider a circular aperture in the pupil plane with a radius of .
If a phase modulation is applied in the pupil plane, the corresponding pupil function can be expressed as

(3)

where is the spatial frequency coordinate at the Fourier plane and is the modulated phase distribution, which is applied through the SLM in our case.

3.2 Finding adversarial perturbation

In our attack, non-targeted adversarial phase perturbation is found by a gradient-based -norm optimization method to maximize the classification loss while minimizing image distortions.

Let denote the attacked version of with phase modulation .
The optimization problem to find is written as

(4)

where is a balancing constant between the two terms, is the classification loss (i.e., cross-entropy), is the ground truth class label, and is the classification model.
To find an appropriate value of , we adopt an iterative approach that starts with a large value (to ensure a small amount of image distortion) and gradually decreases it until the classification result becomes incorrect.

4 Simulation experiments

Before we apply our adversarial attack on a real system composed of physical devices, we first conduct experiments on a simulation environment using the forward model explained in Section 3.1.
This enables us to find out the feasibility of our proposed adversarial attack method by employing a relatively larger number of images containing diverse objects.

4.1 Implementation details

We employ 1,000 test images of the NeurIPS 2017 Adversarial Attacks and Defences Competition Kurakin et al. (2018)111We obtained the images from https://kaggle.com/c/6864..
This dataset contains images associated with each of the 1,000 ImageNet classes, which are not included in the training images of the original ImageNet dataset.



Light Lies: Optical Adversarial Attack

(a)










Light Lies: Optical Adversarial Attack

Light Lies: Optical Adversarial Attack

Light Lies: Optical Adversarial Attack



Light Lies: Optical Adversarial Attack

Light Lies: Optical Adversarial Attack

Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack

mountain bike
mountain bike
tricycle



(b)
Figure 2: (a) Comparison of the classification accuracy of the original and attack images with respect to the value of for the VGG16 model. PSNR values calculated from the unattacked and attacked images are also shown. (b) A showcase of the attacked images (top) and their phase perturbations (bottom) for different values of .

The classification accuracy is used as the primary evaluation metric.
In addition, we employ the peak signal-to-noise ratio (PSNR) and structural similarity (SSIM) to measure the amount of deterioration in the attacked images compared to their corresponding unattacked images.

To find an adversarial example for a given image by (4), we employ the Adam optimizer Kingma and Ba (2014) because it is known to be effective in quickly finding adversarial examples C++arlini and Wagner (2017).
We use a learning rate of and a weight decay factor of .
We initially set the value to and reduce it by if a valid is not found within the maximum number of iterations, which is set to 150.
The optimization process stops once we obtain a valid that makes the model misclassify the attacked image.

We observe that both accuracy and PSNR tend to converge to certain values as decreases.
Figure 2(a) shows such a tendency of convergence for VGG16.
When becomes , the accuracy and PSNR are measured as 0.270 and 33.60 dB, respectively, and both do not significantly change when decreases further.
Therefore, we set the minimum value of as .
Figure 2(b) depicts a showcase of the obtained images for different values of .
The three cases do not show significant perceptual differences, while the classification result becomes wrong when becomes and a larger amount of phase modulation is applied.

4.2 Results

Model Accuracy (original) Accuracy (attacked) PSNR (dB) SSIM
ResNet50 0.896 0.334 33.98 () 0.9623 ()
VGG16 0.840 0.260 32.96 () 0.9561 ()
MobileNetV3 0.860 0.323 35.40 () 0.9669 ()
Table 1: Performance comparison in terms of accuracy, PSNR, and SSIM evaluated on different image classification models. Standard deviations across images are also shown. Note that relatively large standard deviations of PSNR are due to the images with failed attack despite severe phase perturbations and the images with little changes despite the attack.

Table 1 shows the performance comparison on the three classification models.
When the attack method is not employed, all the models achieve classification accuracy above 0.840.
However, when our adversarial attack is employed, the accuracy values are significantly reduced.
This result proves that the optical system for the image classification task is highly vulnerable to our proposed adversarial attack.
In addition, both the PSNR and SSIM values of the images obtained from the attacked optical system are significantly high (i.e., above 30 dB).
It implies that differences between the original and attacked images are hardly noticeable.

As a baseline, we test a so-called “random phase attack” by constructing a random phase pattern that generates a digital image having a similar PSNR value to that of an image obtained from our adversarial attack.
With this method, we obtain images having an average PSNR value of 33.12 dB, which is similar to the average PSNR values in Table 1 and even slightly lower than those obtained from our attack for ResNet50 and MobileNetV3.
However, the classification accuracy barely drops when those images are inputted to the models, which are 0.894, 0.828, and 0.860 for ResNet50, VGG16, and MobileNetV3, respectively.
This result shows that the perturbations found by our proposed attack method are very different from random perturbations and our method successfully deteriorates the classification performance while preserving the quality of the obtained images.

Original Attacked Diff. (PSNR, SSIM) Phase


ResNet50
Light Lies: Optical Adversarial Attack
starfish
(70.0%)
Light Lies: Optical Adversarial Attack
honeycomb
(12.9%)
Light Lies: Optical Adversarial Attack
31.94 dB
0.7712
Light Lies: Optical Adversarial AttackLight Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
cabbage
butterfly
(45.1%)
Light Lies: Optical Adversarial Attack
earthstar
(22.2%)
Light Lies: Optical Adversarial Attack
35.15 dB
0.9930
Light Lies: Optical Adversarial AttackLight Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
airliner
(94.8%)
Light Lies: Optical Adversarial Attack
space
shuttle
(43.1%)
Light Lies: Optical Adversarial Attack
28.58 dB
0.9840
Light Lies: Optical Adversarial AttackLight Lies: Optical Adversarial Attack


VGG16
Light Lies: Optical Adversarial Attack
starfish
(23.5%)
Light Lies: Optical Adversarial Attack
flatworm
(18.5%)
Light Lies: Optical Adversarial Attack
39.86 dB
0.8799
Light Lies: Optical Adversarial AttackLight Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
cabbage
butterfly
(71.6%)
Light Lies: Optical Adversarial Attack
sulphur
butterfly
(45.1%)
Light Lies: Optical Adversarial Attack
29.86 dB
0.9803
Light Lies: Optical Adversarial AttackLight Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
airliner
(94.8%)
Light Lies: Optical Adversarial Attack
airship
(48.1%)
Light Lies: Optical Adversarial Attack
36.21 dB
0.9952
Light Lies: Optical Adversarial AttackLight Lies: Optical Adversarial Attack


MobileNetV3
Light Lies: Optical Adversarial Attack
starfish
(98.2%)
Light Lies: Optical Adversarial Attack
mask
(46.4%)
Light Lies: Optical Adversarial Attack
29.73 dB
0.7004
Light Lies: Optical Adversarial AttackLight Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
cabbage
butterfly
(72.3%)
Light Lies: Optical Adversarial Attack
axolotl
(33.0%)
Light Lies: Optical Adversarial Attack
37.33 dB
0.9953
Light Lies: Optical Adversarial AttackLight Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
airliner
(75.9%)
Light Lies: Optical Adversarial Attack
airship
(49.0%)
Light Lies: Optical Adversarial Attack
36.87 dB
0.9960
Light Lies: Optical Adversarial AttackLight Lies: Optical Adversarial Attack
Figure 3: Visual showcases of the unattacked and attacked images for the three image classification models. Classified labels and their confidence levels are also reported. The third column shows the absolute pixel value differences between the unattacked and attacked images, which are magnified 10 times for better visualization. The last column shows the modulated phase in the Fourier domain.

Figure 3 shows example images with and without the adversarial attack.
The absolute differences of the unattacked and attacked images in the digital domain and the optimized phase modulation patterns ( in Section 3.1) are also shown.
It can be seen that differences between the original and attacked images are not significant, which is also shown as high PSNR and SSIM values.
However, the classification models misclassify all the attacked images.
Here, the classified labels differ depending on the employed models.
For instance, the starfish image is misclassified as honeycomb, flatworm, and mask by each model, respectively.
The pixel-domain changes also differ depending on the employed models.
For example, the differences are mostly on the red channel for ResNet50, while those are mostly on the green channel for MobileNetV3.
The amount of distortion is also model-dependent, i.e., the PSNR and SSIM values differ depending on the target classification model for the same image.
For example, the PSNR values of the cabbage butterfly image for VGG16 and MobileNetV3 are 29.86 dB and 37.33 dB, respectively.
These model-dependent characteristics of the perturbations can be also found from low transferability of the attacked images between the models as shown in Table 2.

 /backslashboxSourceTarget ResNet50 VGG16 MobileNetV3
ResNet50 0.334 0.792 0.840
VGG16 0.851 0.260 0.823
MobileNetV3 0.862 0.782 0.323
Table 2: Transferability of attacked images for different models in terms of accuracy

However, we also observe the following characteristics of the phase modulation patterns for different images and classifiers.
First, a wider range of phase modulations tends to yield a more distorted image having a lower PSNR value.
For instance, for ResNet50, the phase patterns of both the starfish and airliner images contain larger values (appearing as more red and blue colors) than that of the cabbage butterfly image.
Second, the phase patterns of the same image appear similar to some extent across different models.
For example, the phases of starfish show wave-like patterns, while those of cabbage butterfly contain more grain-like textures.

The overall patterns of the pixel value changes are largely different from those obtained from many existing adversarial attacks in the pixel domain Goodfellow et al. (2015); Kurakin et al. (2017a); C++arlini and Wagner (2017).
The former preserves textures of the original images, whereas the latter is typically similar to random noise and barely preserves the original textures.
It is because our adversarial attack method manipulates the imaging system in the phase domain instead of the pixel domain.

5 Real experiments

We physically implement our proposed adversarial attack with an optical system as explained in Section 3 in order to demonstrate the vulnerability of real optical systems in the wild to the proposed optical attack.

5.1 Implementation details

In the real experiments, we place “actual” objects in front of the optical system to capture and acquire images of the objects.
Considering this practical constraint, we use ten real objects that correspond to ten ImageNet classes to obtain images of those objects in the digital domain, which are bath towel, computer keyboard, lighter, paintbrush, ping-pong ball, plate rack, ruler, screwdriver, syringe, and toilet tissue.
We place an object 100-120 cm away from the camera lens, which is a distance with a field-of-view of about mm.
Phase modulation is performed using the SLM with a resolution of pixels and a pixel size of 30 .

We employ the pre-trained ResNet50 and VGG16 models.
The MobileNetV3 model is excluded here due to its relatively poor performance on the actual objects.

In addition to our attack method, we also investigate the impact of other optical-domain distortions that are usually found in real optical systems.
In this study, we consider spherical aberration, defocus, and astigmatism.
The amounts of these distortions are determined in a way that the resulting images have similar SSIM values to those perturbed by our attack.

5.2 Results

Model Metric Original Simulation Real Aberration Defocus Astigmatism
ResNet50 Accuracy 1.0 0.0 0.0 1.0 1.0 1.0
PSNR (dB)
33.36
()
35.81
()
36.03
()
36.11
()
SSIM
0.9357
()
0.9391
()
0.9386
()
0.9394
()
VGG16 Accuracy 1.0 0.0 0.0 0.9 0.9 0.9
PSNR (dB)
34.31
()
35.38
()
35.37
()
35.29
()
SSIM
0.9381
()
0.9380
()
0.9366
()
0.9367
()
Table 3: Performance comparison in terms of accuracy, PSNR, and SSIM for the original images, attacked images in simulation, attacked images in the real system, and images with optical distortions in the real system. Standard deviations across images are also shown.

Table 3 shows the overall performance comparison of our attack method and the three optical distortions for different image classification models, where the accuracy, PSNR, and SSIM values are reported.
We also report the accuracy of the original images and the attacked images obtained from our simulation environment explained in Section 4.
Both ResNet50 and VGG16 successfully classify the ten real objects when no distortion is involved.
However, when our attack method is employed, all the objects are classified incorrectly for both models in both simulation and real environments.
Furthermore, all optical-domain distortions do not affect much the classification performance unlike our attack method; all ten objects are still classified correctly for ResNet50 and nine objects for VGG16.
These results demonstrate that the real optical system is highly vulnerable to the proposed optical adversarial attack.

Original Attacked Optical distortions
Simulation Real Aberration Defocus Astigmatism
#1
Light Lies: Optical Adversarial Attack
screwdriver
(42.7%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
assault rifle
(18.5%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
assault rifle
(17.9%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
screwdriver
(21.1%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
screwdriver
(23.1%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
screwdriver
(21.5%)
#2
Light Lies: Optical Adversarial Attack
bath towel
(29.5%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
paper towel
(24.0%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
paper towel
(23.6%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
bath towel
(18.9%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
bath towel
(16.9%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
bath towel
(14.2%)
#3
Light Lies: Optical Adversarial Attack
plate rack
(20.7%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
minivan
(12.4%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
oxygen mask
(17.7%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
plate rack
(14.8%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
plate rack
(14.9%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
plate rack
(17.9%)
#4
Light Lies: Optical Adversarial Attack
paintbrush
(30.7%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
mortar
(25.4%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
mortar
(26.5%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
paintbrush
(26.6%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
paintbrush
(26.9%)
Light Lies: Optical Adversarial Attack
Light Lies: Optical Adversarial Attack
paintbrush
(27.3%)
Light Lies: Optical Adversarial Attack Light Lies: Optical Adversarial Attack
Figure 4: Visual showcases of the original and attacked images for ResNet50. Classified labels and their confidence levels are also reported.

Figure 4 shows four visual showcases of our attack and the optical distortions for ResNet50.
When the original and attacked outputs are compared in the digital domain, there are no obvious visual differences between them, which also appears as high PSNR in Table 3.
However, our attack method successfully fools the target image classification model.
For example, the original image #4 is correctly classified as paintbrush.
However, the attacked ones are misclassified as mortar in the simulation and real environments.
The optical distortions hardly affect the classification performance, reducing the confidence levels only slightly (e.g., from 30.7% to 26.6% by spherical aberration) without resulting in misclassification.

The patterns of the phase images obtained from our attack method and those of the optical distortions also show significant differences.
First, the range of the phase values for our attack is significantly smaller that those for the optical distortions: about (rad) vs. (rad).
In addition, the phase patterns are highly distinguishable across different objects for our attack method, while they are not for the optical distortions.

6 Conclusion

We presented the feasibility of attacking optical systems in the optical domain instead of attacking images in the digital domain by introducing an optical adversarial attack.
For a given real object, our attack method finds a spatially varying phase modulation pattern implemented by an SLM in order to minimize the amount of distortion in the digital domain but significantly degrade the performance of image classification models.
We conducted experiments not only in a simulation environment to evaluate with a large amount of data but also in a real optical system to evaluate the proposed attack method in the wild.
The results showed that the optical systems are highly vulnerable to our adversarial attack method, raising a new significant security issue of imaging systems.

Our current work has the following limitations that call for future work.
First, our study can be expanded to a broader range of application fields.
Although we considered the image classification task as the main target of our experiments, our proposed adversarial attack method can be further applied to other fields that employ optical imaging systems to acquire digital images and deep neural networks to perform classification or enhancement, such as microscopic image enhancement Rivenson et al. (2017) and hologram classification Kim et al. (2018).
Second, we focused on investigating the vulnerability of the physical imaging system in this study, and to this end, we proposed the optical adversarial attack.
One of the important next directions will be to find ways to protect optical systems against adversarial attacks applied in both the optical domain and the digital domain.

References

  • [1]
    A. Athalye, L. Engstrom, A. Ilyas, and K. Kwok (2018)

    Synthesizing robust adversarial examples.

    In Proceedings of the International Conference on Machine Learning,

    Cited by: §1,
    §2.1.
  • [2]
    L. Burger, I. A. Litvin, and A. Forbes (2008)

    Simulating atmospheric turbulence using a phase-only spatial light modulator.

    South African Journal of Science 104 (3-4), pp. 129–134.

    Cited by: §2.2.
  • [3]
    N. Carlini and D. Wagner (2017)

    Towards evaluating the robustness of neural networks.

    In Proceedings of the IEEE Symposium on Security and Privacy,

    Cited by: §2.1,
    §4.1,
    §4.2.
  • [4]
    K. Eykholt, I. Evtimov, E. Fernandes, B. Li, A. Rahmati, C. Xiao, A. Prakash, T. Kohno, and D. Song (2019)

    Robust physical-world attacks on deep learning visual classification.

    In Proceedings of the IEEE/CVF International Conference on Computer Vision,

    Cited by: §2.1.
  • [5]
    I. J. Goodfellow, J. Shlens, and C. Szegedy (2015)

    Explaining and harnessing adversarial examples.

    In Proceedings of the International Conference on Learning Representations,

    Cited by: §1,
    §2.1,
    §4.2.
  • [6]
    J. W. Goodman (2005)

    Introduction to fourier optics.

    Roberts and Company Publishers.

    Cited by: §3.1.
  • [7]
    B. Hadad, S. Froim, H. Nagar, T. Admon, Y. Eliezer, Y. Roichman, and A. Bahabad (2018)

    Particle trapping and conveying using an optical Archimedes’ screw.

    Optica 5 (5), pp. 551–556.

    Cited by: §2.2.
  • [8]
    K. He, X. Zhang, S. Ren, and J. Sun (2016)

    Deep residual learning for image recognition.

    In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition,

    Cited by: §3.
  • [9]
    A. Howard, M. Sandler, G. Chu, L. Chen, B. Chen, M. Tan, W. Wang, Y. Zhu, R. Pang, V. Vasudevan, et al. (2019)

    Searching for MobileNetV3.

    In Proceedings of the IEEE/CVF International Conference on Computer Vision,

    Cited by: §3.
  • [10]
    N. J. Jenness, R. T. Hill, A. Hucknall, A. Chilkoti, and R. L. Clark (2010)

    A versatile diffractive maskless lithography for single-shot and serial microfabrication.

    Optics Express 18 (11), pp. 11754–11762.

    Cited by: §2.2.
  • [11]
    N. J. Jenness, K. D. Wulff, M. S. Johannes, M. J. Padgett, D. G. Cole, and R. L. Clark (2008)

    Three-dimensional parallel holographic micropatterning using a spatial light modulator.

    Optics Express 16 (20), pp. 15942–15948.

    Cited by: §2.2.
  • [12]
    A. Jesacher, A. Schwaighofer, S. Fürhapter, C. Maurer, S. Bernet, and M. Ritsch-Marte (2007)

    Wavefront correction of spatial light modulators using an optical vortex image.

    Optics Express 15 (9), pp. 5801–5808.

    Cited by: §2.2,
    §2.2.
  • [13]
    H. Kim, W. Lee, H. Lee, H. Jo, Y. Song, and J. Ahn (2016)

    In situ single-atom array synthesis using dynamic holographic optical tweezers.

    Nature Communications 7 (1), pp. 1–8.

    Cited by: §2.2.
  • [14]
    S. Kim, C. Wang, B. Zhao, H. Im, J. Min, H. J. Choi, J. Tadros, N. R. Choi, C. M. Castro, R. Weissleder, H. Lee, and K. Lee (2018)

    Deep transfer learning-based hologram classification for molecular diagnostics.

    Scientific Reports 8.

    Cited by: §6.
  • [15]
    D. P. Kingma and J. Ba (2014)

    Adam: A method for stochastic optimization.

    arXiv:1412.6980.

    Cited by: §4.1.
  • [16]
    V. Kravets, B. Javidi, and A. Stern (2021)

    Compressive imaging for defending deep neural networks from adversarial attacks.

    Optics Letters 46 (8), pp. 1951–1954.

    Cited by: §2.2.
  • [17]
    A. Kurakin, I. Goodfellow, S. Bengio, Y. Dong, F. Liao, M. Liang, T. Pang, J. Zhu, X. Hu, C. Xie, et al. (2018)

    Adversarial attacks and defences competition.

    The NIPS’17 Competition: Building Intelligent Systems.

    Cited by: §4.1.
  • [18]
    A. Kurakin, I. Goodfellow, and S. Bengio (2017)

    Adversarial machine learning at scale.

    In Proceedings of the International Conference on Learning Representations,

    Cited by: §2.1,
    §4.2.
  • [19]
    A. Kurakin, I. J. Goodfellow, and S. Bengio (2017)

    Adversarial examples in the physical world.

    In Proceedings of the International Conference on Learning Representations Workshop,

    Cited by: §1,
    §2.1.
  • [20]
    J. B. Li, F. R. Schmidt, and J. Z. Kolter (2019)

    Adversarial camera stickers: A physical camera-based attack on deep learning systems.

    In Proceedings of the International Conference on Machine Learning,

    Cited by: §1.
  • [21]
    D. Lowell, J. Lutkenhaus, D. George, U. Philipose, B. Chen, and Y. Lin (2017)

    Simultaneous direct holographic fabrication of photonic cavity and graded photonic lattice with dual periodicity, dual basis, and dual symmetry.

    Optics Express 25 (13), pp. 14444–14452.

    Cited by: §2.2.
  • [22]
    C. Maurer, A. Jesacher, S. Bernet, and M. Ritsch-Marte (2011)

    What spatial light modulators can do for optical microscopy.

    Laser & Photonics Reviews 5 (1), pp. 81–101.

    Cited by: §2.2.
  • [23]
    S. Mukherjee, A. Vijayakumar, and J. Rosen (2019)

    Spatial light modulator aided noninvasive imaging through scattering layers.

    Scientific Reports 9 (1), pp. 1–11.

    Cited by: §2.2.
  • [24]
    D. Nassi, R. Ben-Netanel, Y. Elovici, and B. Nassi (2019)

    MobilBye: Attacking ADAS with camera spoofing.

    arXiv:1906.09765.

    Cited by: §1.
  • [25]
    J. D. Phillips, M. E. Goda, and J. Schmidt (2005)

    Atmospheric turbulence simulation using liquid crystal spatial light modulators.

    In Proceedings of the Advanced Wavefront Control: Methods, Devices, and Applications III,

    Vol. 5894.

    Cited by: §2.2.
  • [26]
    S. Quirin, D. S. Peterka, and R. Yuste (2013)

    Instantaneous three-dimensional sensing using spatial light modulator illumination with extended depth of field imaging.

    Optics Express 21 (13), pp. 16007–16021.

    Cited by: §2.2,
    §2.2.
  • [27]
    M. Reicherter, T. Haist, E. U. Wagemann, and H. J. Tiziani (1999)

    Optical particle trapping with computer-generated holograms written on a liquid-crystal display.

    Optics Letters 24 (9), pp. 608–610.

    Cited by: §2.2.
  • [28]
    Y. Rivenson, Z. Gorocs, H. Gunaydin, Y. Zhang, H. Wang, and A. Ozcan (2017)

    Deep learning microscopy.

    Optica 4 (11), pp. 1437–1443.

    Cited by: §6.
  • [29]
    O. Russakovsky, J. Deng, H. Su, J. Krause, S. Satheesh, S. Ma, Z. Huang, A. Karpathy, A. Khosla, M. Bernstein, et al. (2015)

    ImageNet large scale visual recognition challenge.

    International Journal of Computer Vision 115 (3), pp. 211–252.

    Cited by: §3.
  • [30]
    K. Simonyan and A. Zisserman (2015)

    Very deep convolutional networks for large-scale image recognition.

    In Proceedings of the International Conference on Learning Representations,

    Cited by: §3.
  • [31]
    G. Situ, M. Warber, G. Pedrini, and W. Osten (2010)

    Phase contrast enhancement in microscopy using spiral phase filtering.

    Optics Communications 283 (7), pp. 1273–1277.

    Cited by: §2.2,
    §2.2.
  • [32]
    D. Su, H. Zhang, H. Chen, J. Yi, P. Chen, and Y. Gao (2018)

    Is robustness the cost of accuracy? – A comprehensive study on the robustness of 18 deep image classification models.

    In Proceedings of the European Conference on Computer Vision,

    Cited by: §1.
  • [33]
    Z. Wang, L. Millet, M. Mir, H. Ding, S. Unarunotai, J. Rogers, M. U. Gillette, and G. Popescu (2011)

    Spatial light interference microscopy (SLIM).

    Optics Express 19 (2), pp. 1016–1026.

    Cited by: §2.2,
    §2.2.
  • [34]
    M. Warber, S. Maier, T. Haist, and W. Osten (2010)

    Combination of scene-based and stochastic measurement for wide-field aberration correction in microscopic imaging.

    Applied Optics 49 (28), pp. 5474–5479.

    Cited by: §2.2,
    §2.2.
  • [35]
    K. Xu, G. Zhang, S. Liu, Q. Fan, M. Sun, H. Chen, P. Chen, Y. Wang, and X. Lin (2020)

    Adversarial T-shirt! Evading person detectors in a physical world.

    In Proceedings of the European Conference on Computer Vision,

    Cited by: §1.

https://www.arxiv-vanity.com/papers/2106.09908/


CSIT FUN , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明原文链接:Light Lies: Optical Adversarial Attack
喜欢 (0)
[985016145@qq.com]
分享 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址