IFIP SEC 2018, Abstract of the talk

When George Clooney is not George Clooney: Using GenAttack to Deceive Amazon's and Naver's Celebrity Recognition APIs

Keeyoung Kim1,2,3 and Simon S. Woo1,2
1 The State University of New York, Korea (SUNY-Korea), Incheon, S. Korea
2 Stony Brook University, Stony Brook, NY, USA
3 Artificial Intelligence Research Institute (AIRI), Seongnam, S. Korea

Abstract. In recent years, significant advancements have been made in detecting and recognizing contents of images using Deep Neural Networks (DNNs). As a result, many companies offer image recognition APIs for use in diverse applications. However, image classification algorithms trained with DNNs can misclassify adversarial examples, posing a significant threat to critical applications. In this work, we present a novel way to generate adversarial example images using an evolutionary genetic algorithm (GA). Our algorithm builds adversarial images by iteratively adding noise to the original images. Unlike DNN based adversarial example generations by other researchers, our approach does not require GPU resources and access to the target DNNs' parameters. We design, GenAttack, a simple yet powerful attack algorithm to create adversarial examples using complex celebrity images and evaluate those with real-world celebrity recognition APIs from Amazon and Naver. With our attack, we successfully deceive Amazon's and Naver's APIs with a success probability of 86.6% and 100%, respectively. Our work demonstrates the practicability of generating adversarial examples and successfully fooling the state-of-the-art commercial image recognition systems.

Keywords: Adversarial Example, Black-box attack, Genetic Algorithm

The paper published in the IFIP SEC 2018 confeence proceedings by Springer Verlag