Can perceptual similarity metrics be used to compare adversarial attacks?

· Source: Blog of the TransferLab — appliedAI Institute · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Computer Vision, Adversarial Machine Learning · Depth: Advanced, extended

Summary

This analysis investigates the suitability of perceptual similarity metrics, specifically LPIPS (Learned Perceptual Image Patch Similarity), for comparing adversarial attacks in computer vision. Adversarial samples are crafted by perturbing images to cause misclassification by a model while remaining imperceptible to humans. The study highlights that traditional $\ell_p$ norms are inadequate for comparing diverse attack types, leading to the exploration of Wasserstein-based attacks and perceptual metrics like SSIM, FSIM, and LPIPS. Experiments using the Imagenette dataset, a VGG-11 architecture, and LPIPS with VGG-16, AlexNet, and SqueezeNet backends demonstrate that LPIPS itself is susceptible to adversarial perturbations. While PGD attacks with $\ell_{\infty}$ norm showed limited transferability to LPIPS with different backends, Wasserstein attacks exhibited high transferability, rendering LPIPS unsuitable for comparing these attack methods.

Key takeaway

For AI Scientists and Research Scientists evaluating adversarial robustness, relying solely on LPIPS or similar perceptual metrics for comparing diverse adversarial attacks is problematic. Your evaluations should incorporate human perceptual judgment, as LPIPS is shown to be susceptible to adversarial perturbations, especially from Wasserstein-based attacks. This necessitates continued investment in human-in-the-loop validation or the development of more robust, perceptually aligned metrics.

Key insights

Perceptual similarity metrics like LPIPS are vulnerable to adversarial attacks, limiting their use for comparing different attack types.

Principles

Method

The study compares LPIPS score distributions between images perturbed by adversarial attacks and "fake adversaries" (randomly perturbed images) to assess metric susceptibility.

In practice

Topics

Code references

Best for: AI Scientist, Research Scientist, AI Researcher, Deep Learning Engineer, Computer Vision Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Blog of the TransferLab — appliedAI Institute.