Epsilon Noising Method

Type of Adversarial attacks

Generate an image $\tilde{x}$ by adding a random noise to each pixel of image $x$ with amplitude $[- ϵ, ϵ]$

\forall i, j \in {Pixel Indexes}_{x} {\tilde{x}}_{i, j} = x_{i, j} + ω_{i, j} {\begin{cases} ω_{i, j} \to U ([- ϵ, ϵ]) (Unif. Dist.) \\ ω_{i, j} \to N ([- ϵ, ϵ]) (Normal Dist.) \end{cases}

def enm_attack(image, epsilon):

    # Generate noise matrix, with same shape as image,
    # and random values in [- epsilon, epsilon]
    img_rows = image.shape[-2]
    img_cols = image.shape[-1]
    epsilon_mat = np.asarray([[(2*(np.random.random() - 0.5)*epsilon
                                for i in range(img_rows)]
                               for j in range(img_cols)]])

    # Create the attack image by adjusting each pixel of the input image
    eps_image = image.detach().numpy() + epsilon_mat

    # Clipping eps_image to maintain pixel values into the [0, 1] range
    eps_image = torch.from_numpy(eps_image).float()
    eps_image = torch.clamp(eps_image, 0, 1)

    # Return
    return eps_image

Clipping a value $x$ forces it to remain in interval $[a, b]$ with $a \leq b$

\begin{aligned} γ_{a, b} (x) & = max (a, min (x, b)) \\ γ_{a, b} (x) & = {\begin{cases} a if x \leq a \\ b if x \geq b \\ x otherwise \end{cases} \end{aligned}

Effect on accuracy

Adding noise to an image tends to make models malfunction.

Eventually, with full noise (large $ϵ$ ), the image will be randomly classified. However, these are not considered good attack samples as even humans would struggle to classify them.

Plausibility

To determine if an Adversarial sample is "close enough" to original sample $\tilde{x}$ , we would enforce a constraint on a norm / distance metric between $x$ and $\tilde{x}$ , with an arbitrary difference $| | \tilde{x} - x | | \leq α$