SpotOn: A Gradient-based Targeted Data Poisoning Attack on Deep Neural Networks

Abstract

Deep neural networks (DNNs) are vulnerable to adversarial inputs, which are created by adding minor perturbations to the genuine inputs. Previous gradient-based adversarial attacks, such as the "fast gradient sign method" (FGSM), add an equal amount (say ϵ) of noise to all the pixels of an image. This degrades image quality significantly, such that a human validator can easily detect the resultant adversarial samples. We propose a novel gradient-based adversarial attack technique named SpotOn, which seeks to maintain the quality of adversarial images high. We first identify an image’s region of importance (ROI) using Grad-CAM. SpotOn has three variants. Two variants of SpotOn attack only the ROI, whereas the third variant adds an epsilon (ϵ) amount of noise to the ROI and a much smaller amount of noise (say ϵ/3) to the remaining image. On Caltech101 dataset, compared to FGSM, SpotOn achieves comparable degradation in CNN accuracy while maintaining much higher image quality. For example, for ϵ = 0.1, FGSM degrades VGG19 accuracy from 92% to 8% and leads to an SSIM value of 0.48 by attacking all pixels in an image. By contrast, SpotOn-VariableNoise attacks only 34.8% of the pixels in the image; degrades accuracy to 10.5% and maintains an SSIM value of 0.78. This makes SpotOn an effective data-poisoning attack technique. The code is available from https://github.com/CandleLabAI/SpotOn-AttackOnDNNs.