Fool me once…
Oct 31, 2017
Researchers Jiawei Su, Danilo Vasconcellos Vargas and Sakurai Kouichi from Japan’s Kyushu University have developed a method to fool AI image classifiers by changing the value of a single pixel in an image. They wanted to trick a deep neural network and automate their attacks, which one could not be able to detect with a naked eye.
Their method of a one-pixel attack worked on nearly three quarters of standard training images, and was based on a technique called differential evolution, which is an optimization method for the best target for their attack. More the pixels, more effective the attack, since three-pixel perturbation had a success rate of 82%, while the five-pixels attack was 87.3% successful. The best result was achieved using an image of a dog in the training set, for which they tricked the deep neural network into classifying as an airplane, car, bird, cat, deer, frog, horse, ship, and a truck.
- Su, Jiawei; Danilo Vasconcellos Vargas; Sakurai Kouichi (2017): One pixel attack for fooling deep neural networks, arxiv.org