Page 9 - IJEEE-2022-Vol18-ISSUE-1
P. 9
Kadhim & Al-Darraji |5
B. Generation of adversarial images 2) Deep Fool attack
Deep Fool is a simple algorithm used to find
Some improvements can be shown in adversarial
attacks. There are also some advantages to the goal they adversarial oscillation images in deep networks. Researchers
achieve. Therefore, each attack represents the basics of the proposed that the Deep Fool algorithm is used to compute
real world. However, here, various first strategies for adversarial examples that would noise modern classifiers.
producing adversarial situations are discussed. Figure 8 shows distorting the image of the deep fool attack
method.
1) Fast Gradient Sign Method (FGSM) attack
Fig. 8: Shows original and adversarial image using FGSM
This method works by using special networks such as a attack.
neural network. This leads to creating an example for
adversarial images. Also, this method uses the gradients of 3) Projected Gradient Descent (PGD) attack
the loss in input images. So, it creates a new image that
improves the technique of utilizing loss gradients in the input This kind of attack model works with many pixels of
image. It also creates a new image to increase the loss. For images. Each pixel can be distorted by at most epsilon = 0.8
the FGSM attack, the attack step size parameter is fixed to 0, of its initial value. All pixels can independently jam, so this
0.01, 0.1, and 0.15. However, it is explained by the following is an endless attack. The test set should be configured as a
equation (1): one-row matrix for each example and each row has a flat
matrix of (146 x 146) pixels. Hence, the overall dimensions
adv_x = x + ? × sign (? x J (?, x, y)) (1) are 10,000 rows and 21,316 columns. Each pixel must be in
the range of [0, 1]. While the PGD attack parameter is fixed
Figure 5 shows the input image when the epsilon value to 8.0. Figure 9 shows distorting the image of the PGD attack
is zero respectively. method.
Fig. 5: Input image when epsilons = [0]. Fig. 9: Shows original and adversarial image using PGD
Running of FGSM attack to create disturbances attack.
(oscillations) used to distort original images. Figure 6 shows
the addition of noise to the original image. C. Feature Extraction
Feature extraction is a process that divides and reduces
Fig. 6: Image noise.
Different values of epsilon can be used. Then, the a large collection of raw data into smaller, more manageable
output of the image can be noticed. The value of epsilon is groupings. As a consequence, processing it will be more
(0.01, 0.1, and 0.15). Figure 7 shows adversarial images straightforward. As a result, CNN networks are responsible
using three values of epsilon. for extracting features from the images in the collection. The
main distinguishing characteristic of these large data sets is
Fig. 7: Shows FGSM attack with various values of their large number of variables. Thus, face feature extraction
granularity of perturbations. is the process of extracting individual facial component
characteristics from a photograph of a human face, such as
the eyes, nose, and mouth. Face feature extraction is critical
for the beginning of processing methods such as face
tracking, facial emotion detection, and face recognition. The
proposed work uses CNN, which does not need a stand-alone
feature extraction. It uses a learnable feature extractor as a
part of the network, which extracts a lot of suitable features.
