Robustness of Adversarial Images Against Filters

This article addresses the robustness issue of adversarial images against filters. Given an image A, that a convolutional neural network and a human both classify as belonging to a category c(A), one considers an adversarial image D that the neural network classifies in a category c(t) not equal c(A), although a human would not notice any difference between D and A. Would the application of a filter F (such as the Gaussian blur filter) to D still lead to an adversarial image F(D) that fools the neural network? To address this issue, we perform a study on VGG-16 trained on CIFAR-10, with adversarial images obtained thanks to an evolutionary algorithm run on a specific image A taken in one category of CIFAR-10. Exposed to 4 individual filters, we show that the outputted filtered adversarial images essentially do remain adversarial in some sense. We also show that combining filters may render our EA attack less effective. We therefore design a new evolutionary algorithm, whose aim is to create adversarial images that do pass the filter test, do fool VGG-16 and do remain close enough to A that a human would not notice any difference. We show that this is indeed the case by running this new algorithm on the same image A.