Clean-label attack based on negative afterimage on neural networks

Adversarial attacks can fool machine learning models by adding small but carefully designed perturbations to an image, resulting in the model to misclassify it into another class. In general, an attacker chooses a target class as a pollution source to generate a perturbed image and tricks the classifier into classifying it as the target class. However, the effectiveness of adversarial attacks suffers from some limitations, including the need for specific control over the labeling of the target class and challenges in generating effective adversarial samples in real-world scenarios. To overcome these limitations, we propose a novel clean-label attack based on negative afterimage. Negative afterimage is a visual phenomenon whereby, after gazing at a bright image for some time, one perceives the inverse color image of the previously observed bright region when shifting focus to a darker area. We explore the afterimage phenomenon and use negative afterimages as pollution sources to generate adversarial samples, which can avoid any dependency on the labeling of pollution sources. Subsequently, we generate adversarial samples using an optimization-based approach to ensure that adversarial samples are visually undetectable. We conducted experiments on two widely used datasets, CIFAR-10 and ImageNet. The results show that our proposed method can effectively generate adversarial samples with high stealthiness.