Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Natural Language Induced Adversarial Images

Xiaopei Zhu, Peiyang Xu, Guanning Zeng, Yingpeng Dong, Xiaolin Hu

TL;DR

This work proposes a natural language induced adversarial image attack method to leverage a text-to-image model to generate adversarial images given input prompts, which are maliciously constructed to lead to misclassification for a target model.

Abstract

Research of adversarial attacks is important for AI security because it shows the vulnerability of deep learning models and helps to build more robust models. Adversarial attacks on images are most widely studied, which include noise-based attacks, image editing-based attacks, and latent space-based attacks. However, the adversarial examples crafted by these methods often lack sufficient semantic information, making it challenging for humans to understand the failure modes of deep learning models under natural conditions. To address this limitation, we propose a natural language induced adversarial image attack method. The core idea is to leverage a text-to-image model to generate adversarial images given input prompts, which are maliciously constructed to lead to misclassification for a target model. To adopt commercial text-to-image models for synthesizing more natural adversarial images, we propose an adaptive genetic algorithm (GA) for optimizing discrete adversarial prompts without requiring gradients and an adaptive word space reduction method for improving query efficiency. We further used CLIP to maintain the semantic consistency of the generated images. In our experiments, we found that some high-frequency semantic information such as "foggy", "humid", "stretching", etc. can easily cause classifier errors. This adversarial semantic information exists not only in generated images but also in photos captured in the real world. We also found that some adversarial semantic information can be transferred to unknown classification tasks. Furthermore, our attack method can transfer to different text-to-image models (e.g., Midjourney, DALL-E 3, etc.) and image classifiers. Our code is available at: https://github.com/zxp555/Natural-Language-Induced-Adversarial-Images.

Natural Language Induced Adversarial Images

TL;DR

This work proposes a natural language induced adversarial image attack method to leverage a text-to-image model to generate adversarial images given input prompts, which are maliciously constructed to lead to misclassification for a target model.

Abstract

Research of adversarial attacks is important for AI security because it shows the vulnerability of deep learning models and helps to build more robust models. Adversarial attacks on images are most widely studied, which include noise-based attacks, image editing-based attacks, and latent space-based attacks. However, the adversarial examples crafted by these methods often lack sufficient semantic information, making it challenging for humans to understand the failure modes of deep learning models under natural conditions. To address this limitation, we propose a natural language induced adversarial image attack method. The core idea is to leverage a text-to-image model to generate adversarial images given input prompts, which are maliciously constructed to lead to misclassification for a target model. To adopt commercial text-to-image models for synthesizing more natural adversarial images, we propose an adaptive genetic algorithm (GA) for optimizing discrete adversarial prompts without requiring gradients and an adaptive word space reduction method for improving query efficiency. We further used CLIP to maintain the semantic consistency of the generated images. In our experiments, we found that some high-frequency semantic information such as "foggy", "humid", "stretching", etc. can easily cause classifier errors. This adversarial semantic information exists not only in generated images but also in photos captured in the real world. We also found that some adversarial semantic information can be transferred to unknown classification tasks. Furthermore, our attack method can transfer to different text-to-image models (e.g., Midjourney, DALL-E 3, etc.) and image classifiers. Our code is available at: https://github.com/zxp555/Natural-Language-Induced-Adversarial-Images.

Paper Structure

This paper contains 39 sections, 12 equations, 7 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Related Works
  3. Noise-Based Attacks
  4. Image Editing-Based Attacks
  5. Latent Space-Based Attacks
  6. Text-to-Image Models
  7. Methods
  8. Problem Formulation and Overview
  9. Building the Word Space and Prompts
  10. Fitness Evaluation
  11. ASR
  12. SEM
  13. Adaptive Word Space Reduction
  14. Optimization of Adversarial Prompts
  15. Prompts Initialization
  16. ...and 24 more sections

Figures (7)

  • Figure 1: Different adversarial image attacks. (a) Noise-based attack. (b) Image editing-based attack. (c) Latent space-based attack. (d) Natural language induced adversarial image attack (Ours).
  • Figure 2: The overall pipeline of the proposed method.
  • Figure 3: Examples for animals classifier attacks. The black texts are the prompts, the blue texts are the groundtruth categories, and the red texts are the misclassified categories.
  • Figure 4: Examples of generated images with adversarial semantic information for animal classification attacks.
  • Figure 5: Examples of Google-searched images with adversarial semantic information for animal classification attacks.
  • ...and 2 more figures