AdvST: Generating Unrestricted Adversarial Images via Style Transfer

Recent years have witnessed extensive applications of Deep Neural Networks (DNNs) in various vision tasks. However, DNNs are vulnerable to adversarial images crafted by introducing perturbations into inputs to induce incorrect predictions. Unlike L-p -norm restricted adversarial attacks, many unrestricted attacks have been proposed by modifying attributes of the image (e.g., edge, color), while the critical components of the image are preserved. However, most existing unrestricted attacks easily introduce unnatural distortions, colors, stains and schemes, in the generated adversarial images. This paper proposes a novel unrestricted attack (named AdvST) to create stylized, natural-looking, and high-transferability adversarial images. The basic idea of AdvST is to embed adversarial perturbations when transferring the style from the reference image onto the original image (i.e., rendering the original image's semantic contents into the reference image's style). To further improve the image quality of generated adversarial images, we refine two kinds of reference images (i.e., photographs and artworks) based on different attractive styles and design two attacks accordingly. For photorealistic attack, we incorporate semantic information obtained from segmentation maps to improve the photo realism of adversarial images. For artistic attack, we propose integrating edge information extracted by the Laplace operator to preserve the structural integrity of the original image. Extensive experimental results validate the superior performance of AdvST in terms of adversarial image quality and black-box transferability compared to benchmark methods.