Neural networks are among the best tools for classification tasks. They power everything from image recognition to natural language processing, providing incredible accuracy and versatility. But what if I told you that you could completely undermine a neural network or trick it into making mistakes? Intrigued? Let's explore adversarial attacks and understand how they can cause a neural network to incorrectly classify over a task.
Table of Content
- The Art of Deception: Adding Noise
- The One-Pixel Attack: Minimal Change, Maximum Impact
- Let's Dive deep and see some practical implementation
- We will first load our dataset, model and all the available classes
- Now we have our model and dataset ready to try one pixel attack on a image. to change the pixel, feed the input to the model and plot the image. we will create some helper function as given below.
- we have our result and confidence saved in this variable. Let's try to plot them using matplotlib.
- The result is as shown below for the above code
The Art of Deception: Adding Noise
One of the simplest ways to fool a neural network is by adding noise to an image. Imagine you have a picture of a cat, and the neural network correctly identifies it as a cat. By subtly modifying the image, perhaps tweaking the brightness of a few pixels you can cause the neural network to misclassify the image entirely. This technique is known as an adversarial attack. An adversarial attack involves modifying a large number of pixels to add noise and cause a network to misclassify. You might think that at least 100 pixels need to be changed, but surprisingly, changing just one pixel can make the attack successful.
The One-Pixel Attack: Minimal Change, Maximum Impact
Yes, you read that right one pixel can be enough to cause a misclassification. This is known as a one-pixel attack which is a kind of an adversarial attack. This minimal change is enough to disrupt the network’s ability to correctly interpret the image, showcasing just how fragile these sophisticated systems can be.
Let's Dive deep and see some practical implementation
We will used CIFAR-10 Dataset and trained Resnet model network for demonstration purpose. The attacked also worked on other dataset with less dimensions. the CIFAR-10 data is already available with Keras. It is a 32* 32 dimensions dataset with 10 classes.
We will first load our dataset, model and all the available classes
#import all the necessary libraries
import numpy as np
import matplotlib.pyplot as plt
from keras.models import load_model
from keras.datasets import cifar10
# Load our CIFAR-10 dataset imported from keras
(x_train, y_train), (x_test, y_test) = cifar10.load_data()
#all the class names avalaible in the dataset
class_names = ['airplane', 'automobile', 'bird', 'cat', 'deer', 'dog', 'frog', 'horse', 'ship', 'truck']
# Load our resnet pre-trained model
model = load_model('resnet_cifar10.h5') #replace with your model path
Now we have our model and dataset ready to try one pixel attack on a image. to change the pixel, feed the input to the model and plot the image. we will create some helper function as given below.
# a function to plot our image
def plot_image(image, title):
plt.imshow(image)
plt.title(title)
plt.axis('off')
#function to predict on a image
def predict_image(image, model):
image = np.expand_dims(image, axis=0)
prediction = model.predict(image)
predicted_class = np.argmax(prediction)
confidence = prediction[0][predicted_class]
return predicted_class, confidence
#function to modify a pixel to a required RGB value
def modify_pixel(pixel, img):
img_modified = np.copy(img)
x_pos, y_pos, r, g, b = pixel
img_modified[x_pos, y_pos] = [r, g, b]
return img_modified
we are all set to make a one-pixel attack on a random image from our CIFAR-10 dataset now. let's pick up a image with id 60 which is a horse and try to make an attack on it. we will feed the original image and a modified image and save its result and confidence in a variable.
# Define the pixel modification
image_id = 60 # Change this to test with other images
pixel = [16, 16, 255, 0, 0] # Example modification: (x, y, r, g, b)
# Original image and prediction
original_image = x_test[image_id]
original_class, original_confidence = predict_image(original_image, model)
# Modified pixel image and prediction
modified_image = modify_pixel(pixel, original_image)
modified_class, modified_confidence = predict_image(modified_image, model)
we have our result and confidence saved in this variable. Let's try to plot them using matplotlib.
# Plot original and modified images with predictions
plt.figure(figsize=(10, 5))
plt.subplot(1, 2, 1)
plot_image(original_image, f'Original: {class_names[original_class]} ({original_confidence:.2f})')
plt.subplot(1, 2, 2)
plot_image(modified_image, f'Modified Pixel: {class_names[modified_class]} ({modified_confidence:.2f})')
plt.show()
print(f"Original Class: {class_names[original_class]}, Confidence: {original_confidence:.2f}")
print(f"Modified Pixel Class: {class_names[modified_class]}, Confidence: {modified_confidence:.2f}")
The result is as shown below for the above code
We successfully disrupted a neural network architecture by modifying a single pixel. Sometimes by slightly moving the pixel on the right corner or any other location, the attacked image is still predicted as true. This raises the question: how can we identify which pixel to modify?
we can assume it like an optimization problem and use gradient-optimization technique. we have discrete space between 0 to 31 and color from 0 to 255. So, our image is rough and uneven due to less smaller dimensions. Differential Evolution algorithm is used to search for the pixel to morph.
Ever wondered where this type of attack can have a big impact. One pixel attack can make an autonomous vehicle or a medical imaging tool to misclassify which can lead to big issues. we need to carefully handle this attack when our classification task relies heavily on certain features to predict the output.