We propose a steganography based technique to generate adversarial perturbations to fool deep models on any image. The proposed perturbations are computed in a transform domain where a single secret image embedded in any target image makes any deep model misclassify the target image with high probability. The attack resulting from our perturbation is ideal for black-box setting, as it does not require any information about the target model. Moreover, being a non-iterative technique, our perturbation estimation remains computationally efficient. The computed perturbations are also imperceptible to humans while they achieve high fooling ratios for the models trained on large-scale ImageNet dataset. We demonstrate successful fooling of ResNet-50, VGG-16, Inception-V3 and MobileNet-V2, achieving up to 89% fooling of these popular classification models.

我们提出一种基于隐写术的技术来生成对抗性扰动，以欺骗任何图像上的深层模型。拟议的扰动是在变换域中计算的，在该变换域中，嵌入在任何目标图像中的单个秘密图像使任何深度模型都极有可能对目标图像进行错误分类。由我们的摄动引起的攻击非常适合黑匣子设置，因为它不需要有关目标模型的任何信息。而且，作为一种非迭代技术，我们的扰动估计在计算上仍然有效。当在大型ImageNet数据集上训练的模型达到很高的愚弄率时，计算出的扰动对于人类来说也是不可感知的。我们展示了ResNet-50，VGG-16，Inception-V3和MobileNet-V2的成功欺骗，实现了这些流行分类模型高达89％的欺骗。