Can perceptual similarity metrics be used to compare adversarial attacks?
Summary
This analysis investigates the suitability of perceptual similarity metrics, specifically LPIPS (Learned Perceptual Image Patch Similarity), for comparing adversarial attacks in computer vision. Adversarial samples are crafted by perturbing images to cause misclassification by a model while remaining imperceptible to humans. The study highlights that traditional $\ell_p$ norms are inadequate for comparing diverse attack types, leading to the exploration of Wasserstein-based attacks and perceptual metrics like SSIM, FSIM, and LPIPS. Experiments using the Imagenette dataset, a VGG-11 architecture, and LPIPS with VGG-16, AlexNet, and SqueezeNet backends demonstrate that LPIPS itself is susceptible to adversarial perturbations. While PGD attacks with $\ell_{\infty}$ norm showed limited transferability to LPIPS with different backends, Wasserstein attacks exhibited high transferability, rendering LPIPS unsuitable for comparing these attack methods.
Key takeaway
For AI Scientists and Research Scientists evaluating adversarial robustness, relying solely on LPIPS or similar perceptual metrics for comparing diverse adversarial attacks is problematic. Your evaluations should incorporate human perceptual judgment, as LPIPS is shown to be susceptible to adversarial perturbations, especially from Wasserstein-based attacks. This necessitates continued investment in human-in-the-loop validation or the development of more robust, perceptually aligned metrics.
Key insights
Perceptual similarity metrics like LPIPS are vulnerable to adversarial attacks, limiting their use for comparing different attack types.
Principles
- $\ell_p$ norms are insufficient for comparing diverse adversarial attacks.
- Adversarial attacks can transfer across different neural network architectures.
- Human judgment remains critical for evaluating adversarial imperceptibility.
Method
The study compares LPIPS score distributions between images perturbed by adversarial attacks and "fake adversaries" (randomly perturbed images) to assess metric susceptibility.
In practice
- Use human surveys for robust adversarial attack evaluation.
- Consider Wasserstein attacks for higher transferability.
- Be aware of LPIPS's vulnerability to adversarial manipulation.
Topics
- Adversarial Attacks
- Perceptual Metrics
- LPIPS
- Wasserstein Distance
- Computer Vision Robustness
Code references
Best for: AI Scientist, Research Scientist, AI Researcher, Deep Learning Engineer, Computer Vision Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Blog of the TransferLab — appliedAI Institute.