ColorFool: Semantic Adversarial Colorization

Published in IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2020

Recommended citation: Ali Shahin Shamsabadi, Ricardo Sanchez-Matilla, Andrea Cavallaro. "ColorFool: Semantic Adversarial Colorization." IEEE Conference on Computer Vision and Pattern Recognition (CVPR), May 14-19, 2020, Seattle, Washington, US.

Adversarial attacks that generate small Lp-norm per- turbations to mislead classifiers have limited success in black-box settings and with unseen classifiers. These at- tacks are also not robust to defenses that use denoising fil- ters and to adversarial training procedures. Instead, ad- versarial attacks that generate unrestricted perturbations are more robust to defenses, are generally more success- ful in black-box settings and are more transferable to un- seen classifiers. However, unrestricted perturbations may be noticeable to humans. In this paper, we propose a content-based black-box adversarial attack that generates unrestricted perturbations by exploiting image semantics to selectively modify colors within chosen ranges that are perceived as natural by humans. We show that the pro- posed approach, ColorFool, outperforms in terms of suc- cess rate, robustness to defense frameworks and transfer- ability, five state-of-the-art adversarial attacks on two dif- ferent tasks, scene and object classification, when attack- ing three state-of-the-art deep neural networks using three standard datasets. The source code is available at Download paper here