Frequency-Tuned Universal Adversarial Perturbations

Abstract

The predictions of a convolutional neural network (CNN) for an image set can be severely altered by one single image-agnostic perturbation, or universal perturbation, even when the perturbation is small to restrict its perceptibility. Such universal perturbations are typically generated and added to an image in the spatial domain. However, it is well known that human perception is affected by local visual frequency characteristics. Based on this, we propose a frequency-tuned universal attack method to compute universal perturbations in the frequency domain. We show that our method can realize a good balance between perceptibility and effectiveness in terms of fooling rate by adapting the perturbations to the local frequency content. Compared with existing universal adversarial attack techniques, our frequency-tuned attack method can achieve cutting-edge quantitative results. We demonstrate that our approach can significantly improve the performance of the baseline on both white-box and black-box attacks.