Perceptual Carlini-Wagner Attack: A Robust and Imperceptible Adversarial Attack Using LPIPS

Perceptual Carlini-Wagner Attack: A Robust and Imperceptible Adversarial Attack Using LPIPS

Adversarial attacks on deep neural networks (DNNs) present significant challenges by exploiting model vulnerabilities using perturbations that are often imperceptible to human observers. Traditional approaches typically constrain perturbations using p-norms, which do not effectively capture human pe...

Full description

Saved in:
Bibliographic Details
Main Authors: Liming Fan, Anis Salwa Mohd Khairuddin, Haichuan Liu, Khairunnisa Binti Hasikin
Format: Article
Language:English
Published: IEEE 2025-01-01
Series:IEEE Access
Subjects:
Adversarial attacks
perceptual similarity
LPIPS
deep neural networks
robustness
transferability
Online Access:https://ieeexplore.ieee.org/document/11078278/
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1839614788120870912
author Liming Fan
Anis Salwa Mohd Khairuddin
Haichuan Liu
Khairunnisa Binti Hasikin
author_facet Liming Fan
Anis Salwa Mohd Khairuddin
Haichuan Liu
Khairunnisa Binti Hasikin
author_sort Liming Fan
collection DOAJ
description Adversarial attacks on deep neural networks (DNNs) present significant challenges by exploiting model vulnerabilities using perturbations that are often imperceptible to human observers. Traditional approaches typically constrain perturbations using p-norms, which do not effectively capture human perceptual similarity. In this work, we propose the Perceptual Carlini-Wagner (PCW) attack, which integrates the Learned Perceptual Image Patch Similarity (LPIPS) metric into the adversarial optimization process. By replacing p-norm constraints with LPIPS, PCW generates adversarial examples that are both highly effective at inducing misclassification and visually indistinguishable from the original images. We evaluate PCW on the CIFAR-10, CIFAR-100, and ImageNet datasets. On ImageNet, adversarial examples crafted using PCW achieve an LPIPS distance of only 0.0002 from clean images, in contrast to 0.3 LPIPS for those produced by the CW and PGD attacks. In terms of robustness, PCW shows superior performance under common image processing defenses such as JPEG compression and bit-depth reduction, outperforming CW and SSAH and rivaling PGD. Additionally, we test PCW against adversarially trained models from RobustBench and find that it maintains high attack success rates, significantly outperforming CW and PGD in this more challenging setting. Finally, we assess the transferability of PCW across model architectures. While LPIPS contributes to perceptual alignment, it does not significantly improve transferability, with results comparable to those of the original CW attack.
format Article
id doaj-art-3a96e9bbe5e54493817ddd4fe7d30ef1
institution Matheson Library
issn 2169-3536
language English
publishDate 2025-01-01
publisher IEEE
record_format Article
series IEEE Access
spelling doaj-art-3a96e9bbe5e54493817ddd4fe7d30ef12025-07-25T23:00:48ZengIEEEIEEE Access2169-35362025-01-011312918512919410.1109/ACCESS.2025.358811311078278Perceptual Carlini-Wagner Attack: A Robust and Imperceptible Adversarial Attack Using LPIPSLiming Fan0https://orcid.org/0009-0009-6917-6382Anis Salwa Mohd Khairuddin1https://orcid.org/0000-0002-9873-4779Haichuan Liu2https://orcid.org/0000-0003-0559-5552Khairunnisa Binti Hasikin3https://orcid.org/0000-0002-0471-3820Department of Electrical Engineering, Faculty of Engineering, Universiti Malaya, Kuala Lumpur, MalaysiaDepartment of Electrical Engineering, Faculty of Engineering, Universiti Malaya, Kuala Lumpur, MalaysiaDepartment of Electrical Engineering, Faculty of Engineering, Universiti Malaya, Kuala Lumpur, MalaysiaDepartment of Biomedical Engineering, Faculty of Engineering, Universiti Malaya, Kuala Lumpur, MalaysiaAdversarial attacks on deep neural networks (DNNs) present significant challenges by exploiting model vulnerabilities using perturbations that are often imperceptible to human observers. Traditional approaches typically constrain perturbations using p-norms, which do not effectively capture human perceptual similarity. In this work, we propose the Perceptual Carlini-Wagner (PCW) attack, which integrates the Learned Perceptual Image Patch Similarity (LPIPS) metric into the adversarial optimization process. By replacing p-norm constraints with LPIPS, PCW generates adversarial examples that are both highly effective at inducing misclassification and visually indistinguishable from the original images. We evaluate PCW on the CIFAR-10, CIFAR-100, and ImageNet datasets. On ImageNet, adversarial examples crafted using PCW achieve an LPIPS distance of only 0.0002 from clean images, in contrast to 0.3 LPIPS for those produced by the CW and PGD attacks. In terms of robustness, PCW shows superior performance under common image processing defenses such as JPEG compression and bit-depth reduction, outperforming CW and SSAH and rivaling PGD. Additionally, we test PCW against adversarially trained models from RobustBench and find that it maintains high attack success rates, significantly outperforming CW and PGD in this more challenging setting. Finally, we assess the transferability of PCW across model architectures. While LPIPS contributes to perceptual alignment, it does not significantly improve transferability, with results comparable to those of the original CW attack.https://ieeexplore.ieee.org/document/11078278/Adversarial attacksperceptual similarityLPIPSdeep neural networksrobustnesstransferability
spellingShingle Liming Fan
Anis Salwa Mohd Khairuddin
Haichuan Liu
Khairunnisa Binti Hasikin
Perceptual Carlini-Wagner Attack: A Robust and Imperceptible Adversarial Attack Using LPIPS
IEEE Access
Adversarial attacks
perceptual similarity
LPIPS
deep neural networks
robustness
transferability
title Perceptual Carlini-Wagner Attack: A Robust and Imperceptible Adversarial Attack Using LPIPS
title_full Perceptual Carlini-Wagner Attack: A Robust and Imperceptible Adversarial Attack Using LPIPS
title_fullStr Perceptual Carlini-Wagner Attack: A Robust and Imperceptible Adversarial Attack Using LPIPS
title_full_unstemmed Perceptual Carlini-Wagner Attack: A Robust and Imperceptible Adversarial Attack Using LPIPS
title_short Perceptual Carlini-Wagner Attack: A Robust and Imperceptible Adversarial Attack Using LPIPS
title_sort perceptual carlini wagner attack a robust and imperceptible adversarial attack using lpips
topic Adversarial attacks
perceptual similarity
LPIPS
deep neural networks
robustness
transferability
url https://ieeexplore.ieee.org/document/11078278/
work_keys_str_mv AT limingfan perceptualcarliniwagnerattackarobustandimperceptibleadversarialattackusinglpips
AT anissalwamohdkhairuddin perceptualcarliniwagnerattackarobustandimperceptibleadversarialattackusinglpips
AT haichuanliu perceptualcarliniwagnerattackarobustandimperceptibleadversarialattackusinglpips
AT khairunnisabintihasikin perceptualcarliniwagnerattackarobustandimperceptibleadversarialattackusinglpips

Similar Items