Compressed-Domain Deep Learning with Application to Image Recognition and Universal Adversarial Attack

Researchers have shown that the predictions of a deep neural network (DNN) for an image set can be severely distorted by one single image-agnostic perturbation, or universal perturbation, usually with an empirically fixed threshold in the spatial domain to restrict its perceivability. However, current universal perturbations have limited attack ability, and more importantly, limiting the perturbation's norm in the spatial domain may not be a suitable way to restrict the perceptibility of universal adversarial perturbations. Besides, the effects of such attacks on DNN-based texture recognition have yet to be explored. Learning-based image compression was shown to achieve a competitive performance with state-of-the-art transform-based codecs. This motivated the development of learning-based image compression systems targeting both humans and machines. Also, the learning-based compressed-domain representations can be utilized to perform computer vision tasks directly in the compressed domain. In the context of universal attacks, a novel method is proposed to compute more effective universal perturbations via enhanced projected gradient descent on targeted classifiers. The perturbation is optimized by accumulating small updates on perturbed images consecutively. Performance results show that the proposed adversarial attack method can achieve much higher fooling rates as compared to state-of-the-art universal attack methods. In order to reduce the perceptibility of universal attacks without compromising their effectiveness, a frequency-tuned universal attack framework is proposed to adopt JND thresholds to guide the perceptibility of universal adversarial perturbations. The proposed frequency-tuned attack method can achieve cutting-edge quantitative results, realize a good balance between perceptibility and effectiveness in terms of fooling rate on both natural and texture image datasets. In the context of compressed-domain image recognition, a novel feature adaptation module integrating a lightweight attention model is proposed to adaptively emphasize and enhance the key features within the extracted channel-wise information. Also, an adaptation training strategy is designed to utilize the pretrained pixel-domain weights. The obtained performance results show that the proposed compressed-domain classification model can distinctly outperform the existing compressed-domain classifiers, and that it can also yield similar accuracy results with a much higher computational efficiency as compared to the decoded image trained pixel-domain models.