Log-normal Mutations and their Use in Detecting Surreptitious Fake Images

TL;DR

This work applies the log-normal method to the attack of fake detectors, and gets successful attacks: importantly, these attacks are not detected by detectors specialized on classical adversarial attacks.

Abstract

In many cases, adversarial attacks are based on specialized algorithms specifically dedicated to attacking automatic image classifiers. These algorithms perform well, thanks to an excellent ad hoc distribution of initial attacks. However, these attacks are easily detected due to their specific initial distribution. We therefore consider other black-box attacks, inspired from generic black-box optimization tools, and in particular the log-normal algorithm. We apply the log-normal method to the attack of fake detectors, and get successful attacks: importantly, these attacks are not detected by detectors specialized on classical adversarial attacks. Then, combining these attacks and deep detection, we create improved fake detectors.

Figures (5)

• Figure 1: Results on instrum-discrete (top, 35 best methods and the worst method out of 98 methods run on this benchmark), pbo-reduced (bottom, 35 best and the worst method out of 156 methods run on this benchmark). log-normal is simple but good. CMALn is a combination of CMA and log-normal (used as a warmup during the early 10% of the budget): on PBO all strong methods use log-normal at some point.
• Figure 2: Results on the Deceptive benchmark in Nevergrad. X-axis: budget. Y-axis: average normalized (linearly to $[0,1]$, for each benchmark) loss. We observe that CMALn (CMA with log-normal warmup) outperforms CMARS (CMA with random search warmup), which outperforms CMA, on this hard benchmark. The best algorithms are based on log-normal: CMALn (resp. NgLn) uses CMA (resp. NGOpt) for local optimization after log-normal. Lengler also performs well, showing that discrete algorithms can be competitive for continuous problems, in the hardest cases, as a warmup or as a standalone method. The CSEC codes are all variants of NgIohTuned: they are good, but still outperformed by codes based on Lognormal. We note an excellent performance of the Lengler method adapted to continuous problems, in particular for the greatest values of the budget, though Table \ref{['dag']} shows that log-normal was better over the different budget values $(25, 37, 50, 75, 87, 100, 200, 400, 800, 1600, 3200, 6400, 12800)$ for the criterion defined in Section \ref{['ranking']}.
• Figure 3: Example of attacked images. All attacks are done with a budget of 10k queries and $l^\infty=0.03$.
• Figure 4: Analysis of variants of Lognormal mutations (1/2). The number between parentheses is the average score for the maximum budget and the number between brackets is the average score for the penultimate budget: as these two figures are obtained in completely independent runs the consistency between both shows the robustness/significance of the ranking (more details in Appendix \ref{['ranking']}). Unsurprisingly, the Optimistic variants (Section \ref{['algos']}) of log-normal algorithms perform well for noisy optimization problems such as 007.
• Figure 5: Analysis of variants of Lognormal mutations (2/2). We observe that the default parametrization of LogNormal is essentially ok. Lognormal mutations are a serious competitor in some continuous problems when the prior search distribution used implicitly at initialization and mutation is good and the dimension is high (e.g., YAHDBBOB). For topology optimization, the variable-wise adaptive mutation rate AnisotropicAdaptiveDiscreteOnePlusOne (see Section \ref{['algos']}) is excellent.