The Noise Blowing-Up Strategy Creates High Quality High Resolution Adversarial Images against Convolutional Neural Networks

: Convolutional neural networks (CNNs) serve as powerful tools in computer vision tasks with extensive applications in daily life. However, they are susceptible to adversarial attacks. Still, attacks can be positive for at least two reasons. Firstly, revealing CNNs vulnerabilities prompts efforts to enhance their robustness. Secondly, adversarial images can also be employed to preserve privacy-sensitive information from CNN-based threat models aiming to extract such data from images. For such applications, the construction of high-resolution adversarial images is mandatory in practice. This paper firstly quantifies the speed, adversity, and visual quality challenges involved in the effective construction of high-resolution adversarial images, secondly provides the operational design of a new strategy, called here the noise blowing-up strategy, working for any attack, any scenario, any CNN, any clean image, thirdly validates the strategy via an extensive series of experiments. We performed experiments with 100 high-resolution clean images, exposing them to seven different attacks against 10 CNNs. Our method achieved an overall average success rate of 75% in the targeted scenario and 64% in the untargeted scenario. We revisited the failed cases: a slight modification of our method led to success rates larger than 98.9%. As of today, the noise blowing-up strategy is the first generic approach that successfully solves all three speed, adversity, and visual quality challenges, and therefore effectively constructs high-resolution adversarial images with high-quality requirements.

Even so, CNNs are vulnerable to attacks.In the context of image classification, which is considered in the present paper, carefully designed adversarial noise added to the original image can lead to adversarial images being misclassified by CNNs.These issues can lead to serious safety problems in real-life applications.On the flip side, such vulnerabilities can be also leveraged to obscure security and privacy-sensitive information from CNN-based threat models seeking to extract such data from images [15][16][17].
In a nutshell, adversarial attacks are categorized based on two components: the level of knowledge the attacker has about the CNN; the scenario followed by the attack.Regarding the first component, in a white-box attack [3,[18][19][20][21] (also known as gradientbased attack), the attacker has full access to the architecture and to the parameters of the CNN.In contrast, in a black box attack [22][23][24][25][26][27], the attacker does not know the CNN's parameters or architecture; its knowledge is limited to the CNN's evaluation for any input image, including the label category in which it classifies the image, and the corresponding label value.As a consequence of the knowledge bias, white-box attacks usually generate adversarial images faster than black-box attacks.Regarding the second component, in the target scenario, the goal of the attack is to manipulate the clean input image to create an adversarial image that the CNN classifies into a predefined target category.In the untargeted scenario, the goal of the attack is to create an adversarial image that the CNN classifies into any category other than the category of the clean image.An additional objective in these scenarios is to require that the modifications put on the original clean image to create the adversarial image remain imperceptible to a human eye.

Standart Adversarial Attacks
To perform image recognition, CNNs start their assessment of any image by first resizing it to its own input size.In particular, high-resolution images are scaled down, say to 32 × 32 or 224 × 244 for most CNNs trained on CIFAR-10, respectively on ImageNet [28].Until recently (and still now), to the best of our knowledge, attacks are performed on these resized images.Consequently, the resulting adversarial images' size coincides with the CNN input's size, regardless of the size of the original images.Figure 1 describes this standard approach, in which attacks take place in the low-resolution domain, denoted as the R domain in this paper.As previously highlighted, the susceptibility of CNNs to adversarial attacks can be utilized to obfuscate privacy-sensitive information from CNN-empowered malicious software.To use adversarial images for such security purposes, their sizes must match the sizes of the original clean images considered.In practice, these sizes are usually far larger than 224 × 224.However, generating high-resolution adversarial images, namely adversarial images in the H domain as we call it in this paper, poses certain difficulties.

Challenges and Related Works
Creating adversarial images of the same size as their clean counterparts, as illustrated in Figure 2, is a novel and highly challenging task in termes of speed, adversity, and imperceptibility.
Firstly, the complexity of the problem grows quadratically with the size of the images.This issue impacts the speed of attacks performed directly in the H domain.In [29], an evolutionary algorithm-based black-box attack, that successfully handled images of sizes 224 × 224, was tested on a high-resolution image of size 910 × 607 via the direct approach illustrated in Figure 2. Despite 40 h of computational efforts, it failed to create a high-resolution adversarial image by this direct method.This indicates that a direct attack in the H domain, as described above, is unlikely to succeed.An alternative approach is definitively needed to speed up the attack process in the H domain.
Additionally, the adversarial noise in the high-resolution adversarial image should prevail even when the adversarial image is resized to the input size of the CNN.Finally, the difference between the high-resolution original clean image and the high-resolution adversarial image must be imperceptible to a human eye.A first solution to the speed and adversity challenges is presented in [29,30] as an effective strategy that smoothly transforms an adversarial image-regardless of how it is generated-from the R domain to the H domain.However, the imperceptibility issue was not resolved.

Our Contribution
In this article, we introduce a novel strategy, extending our conference paper [31] (and enhancing [29,30]).This strategy stands as the first effective method for generating high visual quality adversarial images in the high-resolution domain in the following sense: The strategy works for any attack, any scenario, any CNN, and any clean highresolution image.Compared to related works, our refined strategy increases substantially the visual quality of the high-resolution adversarial images, as well as the speed and efficiency in creating them.In summary, the approach amounts to a "blowing-up" to the high-resolution domain of the adversarial noise-only of the adversarial noise, and not of the full adversarial image-created in the low-resolution domain.Adding this highresolution noise to the original high-resolution clean image leads to an indistinguishable high-resolution adversarial image.
This noise blowing-up strategy is validated in terms of speed, adversity, and visual quality by an extensive set of experiments.It encompasses seven attacks (four white-box and three black-box) against 10 state-of-the-art CNNs trained on ImageNet; the attacks are performed both for the untargeted and the target scenario, with 100 high-resolution clean images.In particular, the visual quality of high-resolution adversarial images generated with our method is thoroughly studied; the outcomes are compared with adversarial images resulting from [29,30].

Organisation of the Paper
Our paper is organised as follows.Section 2 recalls briefly what are the target and untarget scenarios in R, what their versions in H, fixes some notations, and lists a series of indicators (L p norms and FID) used to assess the human perception of distinct images.Section 3 formalises the noise blowing-up strategy, provides the scheme of the attack atk H,C that lifts to H any attack atk R,C against a CNN C that works in the R domain, and that takes advantage of lifting the adversarial noise only.It recalls some complementary indicators used to assess the impact of the obtained tentative adversarial images (Loss function L C , "safety buffer" ∆ C ), and again fixes some notations.The experimental study is performed in the subsequent Sections.Section 4 describes the ingredients of the experiments: the resizing functions, the 10 CNNs, the 100 clean high-resolution images, the target categories considered in the target scenario, and the 7 attacks.Section 5 provides the results of the experiments performed under these conditions: success rate, visual quality, and imperceptibility of the difference between adversarial and clean images, timing, and overhead of the noise blowing-up strategy.The cases, where the standard implementation of the strategy failed to succeed, are revisited in Section 6 thanks to the "safety buffer" ∆ C .Finally, Section 7 provides a comparison of the noise blowing-up method with the generic lifting method [29,30] on three challenging high-resolution images, one CNN, and one attack for the target scenario.Section 8 summarizes our findings, and indicates directions for future research.An Appendix completes the paper with additional data and evidence.

CNNs and Attack Scenarios
CNNs performing image classification are trained on some large dataset S to sort images into predefined categories c 1 , • • • , c ℓ .The categories, and their number ℓ, are associated with S and are common to all CNNs trained on S. One denotes R the set of images of size r 1 × r 2 (where r 1 is the height, and r 2 is the width of the image) natively adapted to such CNNs.
Once trained, a CNN can be exposed to images (typically) in the same domain R as those on which it was trained.Given an input image I ∈ R, the trained CNN produces a classification output vector where 0 ≤ o I [i] ≤ 1 for 1 ≤ i ≤ ℓ, and ∑ ℓ i=1 o I [i] = 1.Each c i -label value o I [i] measures the plausibility that the image I belongs to the category c i .
Consequently, the CNN classifies the image I as belonging to the category c k if k = arg max 1≤i≤ℓ (o I [i]).If there is no ambiguity on the dominating category (as occurs for most images used in practice; we also make this assumption in this paper), one denotes (c k , o I [k]) the pair specifying the dominating category and the corresponding label value.The higher the c k -label value o I [k], the higher the confidence that I represents an object of the category c k from CNN's "viewpoint".For the sake of simplicity and consistency with the remaining of this paper, we shall write (c I , (2)

Assessment of the Human Perception of Distinct Images
Given two images A and B of the same size h × w (belonging or not to the R domain), there are different ways to assess numerically the human perception of the difference between them, as well as the actual "weight" of this difference.In the present study, this assessment is performed mainly by computing the (normalized) values of L p (A, B) for p = 0, 1, 2, or ∞ and the Fréchet Inception Distance (FID).
Introduced in [37], FID originally served as a metric to evaluate the performance of GANs by assessing the similarity of generated images.FID is one of the recent tools for assessing the visual quality of adversarial images and it aligns closely with human judgment (see [38][39][40]).On the other hand, [41,42] provide an assessment of L p -norms as a measure of perceptual distance between images.
In a nutshell, for an image I of size h × w, the integer 0 ≤ p i,j,α (I) ≤ 255 denotes the value of the pixel positioned in the ith-row, jth-column, of the image where 1 ≤ i ≤ h, 1 ≤ j ≤ w, and α ∈ {R, G, B}.These quantities satisfy the inequalities: The closer their values are to 0, the closer are the images A, B to each other.
To effectively capture the degree of disturbance, and therefore to provide a reliable measure of the level of disruption, FID quantifies the separation between clean and disturbed images based on extracting features from images that are provided by the Inception-v3 network [43].Activations from one of the intermediate layers of the Inception v3 model are used as feature representations for each image.FID assesses the similarity between two probability distributions in a metric space, via the formula: where, µ A and µ B denote feature-wise mean vectors for the images A and B, respectively, reflecting average features observed across the images.M A and M B represent covariance matrices for the feature vectors (covariance matrices offer insights into how features in the vectors co-vary with each other).The quantity ∥µ A − µ B ∥ 2 captures the squared difference in mean vectors (highlighting disparities in these average features), and the trace quantity assesses dissimilarities between the covariance matrices.In the end, FID quantifies how similar the distribution of feature vectors in the A is to that in the B. The lower the FID value, the more similar the images A and B.

Attack Scenarios in the R Domain
Let C be a trained CNN, c a be a category among the ℓ possible categories, and A a clean image in the R domain, classified by C as belonging to c a .Let τ a be its c a -label value.Based on these initial conditions, we describe two attack scenarios (the target scenario and the untarget scenario) aiming at creating an adversarial image D ∈ R accordingly.
Whatever the scenario, one requires that D remains so close to A, that a human would not notice any difference between A and D. This is done in practice by fixing the value of the parameter ϵ, which controls (or restricts) the global maximum amplitude allowed for the modifications of each pixel value of A to construct an adversarial image D. Note that, for a given attack scenario, the value set to ϵ usually depends on the concrete performed attack, more specifically on the L p distance used in the attack to assess the human perception between an original and an adversarial image.
The (c a , c t ) target scenario performed on A requires first to select a category c t ̸ = c a .The attack then aims at constructing an image D that is either a good enough adversarial image or a τ-strong adversarial image.
A good enough adversarial image is an adversarial image that C classifies as belonging to the target category c t , without any requirement on the c t -label value τ t beyond being strictly dominant among all label values.A τ-strong adversarial image is an adversarial image that C not only classifies as belonging to the target category c t , but for which its c t -label value τ t ≥ τ for some threshold value τ ∈ [0, 1] fixed a priori.
In the untarget scenario performed on A, the attack aims at constructing an image D that C classifies in any category c ̸ = c a .
One writes atk scenario

R,C
to denote the specific attack atk performed to deceive C in the R domain according to the selected scenario, and D = atk scenario R,C (A) an adversarial image obtained by running successfully this attack on the clean image A. Note that one usually considers only the first adversarial image obtained by a successful run of an attack, so that D is uniquely defined.
Finally, one writes C(D) = (c, τ c ) the classification of the adversarial image obtained.Note that (c, τ c ) = (c t , τ t ) in the case of the target scenario.

Attack Scenarios Expressed in the H Domain
In the context of high-resolution (HR) images, let us denote by H the set of images that are larger than those of R. In other words, an image of size h × w (where h designates the height, and w the width of the image considered) belongs to H if h ≥ r 1 and w ≥ r 2 .One assumes given a fixed degradation function that transforms any image I ∈ H into a "degraded" image ρ(I ) ∈ R. Then there is a well-defined composition of maps C • ρ as shown in the following scheme: Given A hr a ∈ H, one obtains that way the classification of the reduced image A a = ρ(A hr a ) ∈ R as C(A a ) ∈ V. We assume that the dominating category of the reduced image A a is without ambiguity, and denote by C(A a ) = (c a , τ a ) ∈ V the outcome of C's classification of A a .
Thanks to the degradation function ρ, one can express in the H domain any attack scenario that makes sense in the R domain.This is in particular the case for the target scenario and for the untarget scenario.
Indeed, an adversarial HR image against C for the (c a , c t ) target scenario performed by an attack atk target ∈ H, that satisfies two conditions (note that the notation D hr,C t (A hr a ), with t as index, encapsulates and summarizes the fact that the adversarial image is obtained for the specific target scenario considered).On the one hand, a human should not be able to notice any visual difference between the original A hr a and the adversarial D for the untarget scenario performed on A hr a ∈ H, and by D C untarget (A hr a ) ∈ R its degraded version.The generic attack scenario on C in the HR domain can be visualized in the following scheme: Depending on the scenario considered, one has:  and (c, τ c ) with c such that c ̸ = c a .Whatever the scenario, one also requires that a human is unable to notice any difference between the clean image A hr a and the adversarial image D hr,C scenario (A hr a ) in H.

The Noise Blowing-Up Strategy
The method presented here (and introduced in [31]) attempts to circumvent the speed, adversity, and visual quality challenges mentioned in the Introduction, which are encountered when one intends to create HR adversarial images.While speed and adversity were successfully addressed in [29,30] via a strategy similar to some extent to the present one, the visual quality challenge remained partly unsolved.The refinement provided by our noise blowing-up strategy, which lifts to the H domain for any attack working in the R domain, addresses this visual quality issue without harming the speed and adversity features.It furthermore simplifies and generalises the attack scheme described in [29,30].
In a nutshell, the noise blowing-up strategy applied to an attack atk on a CNN C following a given scenario, essentially proceeds as follows.
One considers a clean image A a ∈ R, degraded from a clean image A hr a ∈ H thanks to a degrading function ρ.Then one performs an attack atk scenario

R,C
on A a in the R domain, that leads to an image ∈ R, adversarial against the CNN for the considered scenario.Although getting such adversarial images in the R domain is crucial for obvious reasons, our strategy does not depend on how they are obtained and applies to all possible attacks atk scenario

R,C
working efficiently in the R domain.This feature contributes substantially to the flexibility of our method.
Then one computes the adversarial noise in R as the difference between the adversarial image and the clean image in R. Thanks to a convenient enlarging function λ, one blows up this adversarial noise from R to H.Then, one adds this blown-up noise to A hr a , creating that way a high-resolution image, called here the HR tentative adversarial image.
One checks whether this HR tentative adversarial image fulfills the criteria stated in the last paragraph of Section 2.3, namely becomes adversarial once degraded by the function ρ.Should this occur, it means that blowing up the adversarial noise in R has led to a noise in H that turns out to be also adversarial.If the blown-up noise is not sufficiently adversarial, one raises the expectations at the R level accordingly.
The concrete design of the noise blowing-up strategy, which aims at creating an efficient attack in the H domain once given an efficient attack in the R domain for some scenario, is given step-by-step in Section 3.1.A series of indicators is given in Section 3.2.The assessment of these indicators depends on the choice of the degrading and enlarging functions used to go from H to R, and vice versa.These choices are specified in Section 4.

Constructing Images Adversarial in H Out of Those Adversarial in R
Given a CNN C, the starting point is a large-size clean image A hr a ∈ H.
In Step 1, one constructs its degraded image A a = ρ(A hr a ) ∈ R. In Step 2, one runs C on A a to get its classification in a category c a .More precisely, one gets C(A a ) = (c a , τ a ).
In Step 3, with notations consistent with those used in Section 2.3, one assumes given an attack atk scenario R,C on A a in the R domain, that leads to an image adversarial against CNN for the considered scenario.As already stated, how such an adversarial image is obtained does not matter.For reasons linked to Step 5 and to Step 8, one denotes (c be f , τc be f ) the outcome of the classification by C of this adversarial image in R. The index "be f " indicates that these assessments and measures take place before the noise blowing-up process per se (Steps 4, 5, 6 essentially).
Step 4 consists in getting the adversarial noise N C (A a ) ∈ R as the difference of images living in R, one being the adversarial image of the clean other.
In Step 6, one creates the HR tentative adversarial image by adding this blown-up noise to the original high-resolution image as follows: In Step 7, the application of the reduction function ρ on this HD tentative adversarial image creates an image D C scenario (A hr a ) = ρ(D hr,C scenario (A hr a )) in the R domain.Finally, in Step 8, one runs C on D C scenario (A hr a ) to get its classification (c a f t , τ c a f t ).The index "a f t" indicates that these assessments and measures take place after the noise blowing-up process per se (Steps 4, 5, 6 essentially).
The attack succeeds if the conditions stated at the end of Section 2.3 are satisfied according to the considered scenario.
Remarks.-(1)For reasons explained in Step 5, there is no reason that τc be f = τ c a f t even when C classifies both images DC scenario (A a ) and D C scenario (A hr a ) in the same category c = c be f = c a f t (this condition is expected in the target scenario, provided this common category satisfies c ̸ = c a ).These label values are very likely to differ.This has two consequences: the first is to make mandatory the verification process performed in Step 8, let alone to make sure that the adversarial image is conveniently classified by C according to the considered scenario; the second is that, for the target scenario, one should set the value of τc be f in a way such to ensure that the image D hr,C t (A hr a ) is indeed adversarial (see Section 3.2).(2) In the context of the untarget scenario, one should make sure that c a f t ̸ = c a .In the context of the target scenario, one should also aim at getting c a f t = c be f (provided one succeeds in creating an adversarial image for which c be f ̸ = c a ).These requirements are likely to influence the value set to τc be f as well (see Section 3.2).Scheme (11)

Indicators
Although both DC scenario (A a ) and D C scenario (A hr a ) stem from A hr a , belong to the same set R of low-resolution images, these images nevertheless differ in general, since ρ • λ ̸ = id R .Therefore, as already stated, this fact implies that the verification process performed in Step 8 is mandatory.
For the target scenario, one aims at c a f t = c be f = c t .Since τc t and τ c t are likely to differ, One measures the difference with the real-valued loss function L defined for A hr a ∈ H as In particular, for the target scenario, our attack is effective if one can set accurately the value of τt to match the inequality τ t ≥ τ for the threshold value τ, or to make sure that D C t (A hr a ) is a good enough adversarial image in the R domain while controlling the distance variations between A hr a and the adversarial D hr,C t (A hr a ).For the untarget scenario, one aims at c a f t ̸ = c a .To hope to achieve c a f t ̸ = c a , one requires c be f ̸ = c a .However, this requirement alone may not be sufficient to obtain c a f t ̸ = c a .Indeed, depending on the attack, the adversarial image D C untarget (A hr a ) (in the R domain) may be very sensitive to the level of trust that DC untarget (A hr a ) (also in the R domain) belongs to the category c be f .In other words, even if the attack performed in step 3 of the noise blowing-up strategy succeeded, steps 5 to 9 may not succeed under some circumstances, and it may occur that the image resulting from these steps is classified back to c a .
Although less pregnant for the target scenario, a similar sensitivity phenomenon may nevertheless occur, leading to c a f t ̸ = c be f (hence to c a f t ̸ = c t , since c be f = c t in this scenario), and therefore to an unsuccess of the noise blowing-up strategy.
For these reasons, it may be safer to ensure a "margin of security" measured as follows.One defines the Delta function ∆ C for A hr a ∈ H as: where c next,be f is the second best category, namely the category c for which the label value τc is the highest after the label value τc be f of c be f .Enlarging the distance of the label values between the best and second best category before launching the next steps of the noise blowing-up strategy may lead to higher success rates of the strategy (see Section 6).
Remark.-Note that the present approach, at the difference of the approach, initially introduced in [29,30], does not require frequent resizing up and down via λ, ρ the adversarial images.In particular, if one knows how the loss function behaves (in the worst case, or in average) for a given targeted attack, then one can adjust a priori the value of τc accordingly, and be satisfied with one such resizing up and down.Mutatis mutandis for the untarget attack and the Delta function.
To assess the visual variations and the noise between the images (see Section . This ratio normalizes the weight of the noise with respect to the effect of the anyhow occurring composition λ • ρ.Said otherwise, it evaluates the impact created by the noise normalized by the impact created anyhow by the resizing functions.

Ingredients of the Experimental Study
This section specifies the key ingredients used in the experimental study performed in Section 5: degrading and enlarging functions, CNNs, HR clean images, attacks and scenarios.We also take advantage of the outcomes of [29][30][31] for the choice of some parameters used in the experimental study.

The Selection of ρ and of λ
The assessment of the indicators of Section 3.2, and therefore the performances and adequacy of the resized tentative adversarial images obtained between R and H, clearly depend on the reducing and enlarging functions ρ and λ selected in Scheme (11).
The combination call (ρ, λ, ρ) (performed in Step 1 for the first call of ρ, in Step 5 for the unique call of λ, and in Step 7 for the second call of ρ) to the degrading and enlarging functions are "aside" of the actual attacks performed in the R domain.However, both the adversity and the visual quality of the HR adversarial images are highly sensitive to the selected combination.
Moreover, as pointed out in [29], enlarging functions usually have difficulties with high-frequency features.This phenomenon leads to an increased blurriness in the resulting image.Therefore, the visual quality of (and the speed to construct, see [29]) the highresolution adversarial images obtained by our noise blowing-up strategy benefits from a scarce usage of the enlarging function.Consequently, the scheme minimizes the number of times λ (and consequently ρ) are used.
We considered four non-adaptive methods that convert an image from one scale to another.Indeed, the Nearest Neighbor [44], the Bilinear method [45], the Bicubic method [46] and the Lanczos method [47,48] are among the most common interpolation algorithms, and are available in python libraries.Note that the Nearest Neighbor method is the default degradation function on Keras load_img function [35].Tests performed in [29,30] lead to reducing the resizing functions to the Lanczsos and the Nearest methods.
We performed a case study with the 8 possible different combinations (ρ, λ, ρ) obtained with the Lanczsos and the Nearest methods (see Appendix B for the full details).Its outcomes lead us to recommend the combination (ρ, λ, ρ) = Lanczos, Lanczos, Lanczos) (see also Section 4.3).

The CNNs
The experimental study is performed on 10 diverse and commonly used CNNs trained on ImageNet (see [27] for the reasons for these choices).These CNNs are specified in Table 1.

The HR Clean Images
The experiments are performed on 100 HR clean images.More specifically, Table 2 gives the 10 ancestor categories c a , and the 10 corresponding target categories c t used in the (c a , c t )-target scenario whenever applicable (see Section 4.4).These categories (ancestor or target) are the same as those of [27,49], which were picked at random among the 1000 categories of ImageNet.For each ancestor category, we picked at random 10 clean ancestor images from the ImageNet validation scheme in the corresponding c a category, provided that their size h × w satisfies h ≥ 224 and w ≥ 224.This requirement ensures that these images A hr a belong to the H domain.These images are pictured in Figure A1 in Appendix A, while Table A1 gives their original sizes.Note that, out of the 100 HR clean images in Figure A1, 92 coincide with those used in [27,49] (which were picked at random in this article).We replaced the 8 remaining images used in [27,49] whose sizes did not fulfill the requirement.As a consequence, the images A 1 1 and A 10 1 in the category c a 1 , A 3 3 in the category c a 3 , A 1 5 , A 2 5 , A 7 5 in the category c a 5 , and A 4 9 , A 7 9 in the category c a 9 differ from those of [27,49].
Although the images A p q are picked from the ImageNet validation set in the categories c a q , CNNs may not systematically classify all of them in the "correct" category c a q in the process of Steps 1 and 2 of Scheme (11).Indeed, Tables A2 and A3 in Appendix A show that this phenomenon occurs for all CNNs, whether one uses ρ = "Lanczos" (L) or "Nearest" (N).Table 3 summarizes these outcomes, where S C clean (ρ) designates the set of "correctly" classified clean images A p q .
Table 3.For each CNN C k (1st row), number of clean HR images A p q classified by C k in the "correct" category c a q either with the degrading function ρ = "Lanczos" (2nd row), or with ρ = "Nearest" (3rd row).Table 3 shows that the sets S C clean (L) and S C clean (N) usually differ.Tables A2 and A3 proves that this holds as well for C = C 7 , C 9 , C 10 although both sets have the same number of elements.
In any case, the "wrongly" classified clean images are from now on disregarded since they introduce a native bias.Experiments are therefore performed only for the "correctly" classified HR clean images belonging to S C clean (ρ).

The Attacks
We considered seven well-known attacks against the 10 CNNs given in Table 1.Table 4 lists these attacks, and specifies (with an "x") whether we use them in the experiments for the targeted scenario, for the untargeted scenario, or for both (see Table 5 for a justification of these choices), and their white-box or black-box nature.To be more precise, if an attack admits a dual nature, namely black box and white-box (potentially semi-white-box), we consider the attack only in its more demanding black-box nature.This leads us to consider three black-box attacks (EA, AdvGAN, SimBA) and four white-box attacks (FGSM, BIM, PGD Inf, PGD L2).
Let us now briefly describe these attacks while specifying the parameters to be used in the experiments.Note that, except (for the time being) for the EA attack, all attacks were applied with the Adversarial Robustness Toolbox (ART) [50], which is a Python library that includes several attack methods.Table 4. List of attacks considered, their white-box or black-box nature, and the scenarios for which they are run in the present study.

Attacks
White Box Black Box Targeted Untargeted -EA attack [25,27] is an evolutionary algorithm-based black-box attack.It begins by creating a population of ancestor image copies and iteratively modifies their pixels over generations.The attack's objective is defined by a fitness function that uses an individual's c t probability obtained from the targeted CNN.The population size is set to 40, and the pixel mutation magnitude per generation is α = 1/255.The attack is executed in both targeted and untargeted scenarios.For the targeted scenario, the adversarial image's minimum c t -label value is set to τt ≥ 0.55.The maximum number of generations is set to N = 10,000.-Adversarial GAN attack (AdvGAN) [51] is a type of attack that operates in either a semi-whitebox or black-box setting.It uses a generative adversarial network (GAN) to create adversarial images by employing three key components: a generator, a discriminator, and the targeted neural network.During the attack, the generator is trained to produce perturbations that can convert original images into adversarial images, while the discriminator ensures that the generated adversarial image appears identical to the original image.The attack is executed in the black-box setting.
-Simple Black-box Attack (SimBA) [52] is a versatile algorithm that can be used for both black-box and white-box attacks.It works by randomly selecting a vector from a predefined orthonormal basis and adding or subtracting it from the target image.SimBA is a simple and effective method that can be used for both targeted and untargeted attacks.
For our experiments, we utilized SimBA in the black-box setting with the overshoot parameter epsilon set to 0.2, batch size set to 1, and the maximum number of generations set to 10,000 for both targeted and untargeted attacks.
-Fast Gradient Sign Method (FGSM) [53] is a white-box attack that works by using the gradient of the loss function J(X,y) with respect to the input X to determine the direction in which the original input should be modified.FGSM is a one-step algorithm that can be executed quickly.In its untargeted version, the adversarial image is while in its targeted version it is where ϵ is the perturbation size which is calculated with L in f norm and ∆ is the gradient function.We set eps_step = 0.01 and ϵ = 8/255.
-Basic Iterative Method (BIM) [54] is a white-box attack that is an iterative version of FGSM.BIM is a computationally expensive attack, as it requires calculating the gradient at each iteration.In BIM, the adversarial image X adv is initialized with the original image X and gradually updated over a given number of steps N as follows: in its untargeted version and in its targeted version, where α is the step size at each iteration and ϵ is the maximum perturbation magnitude of X adv = X adv N .We use the eps_step = 0.1, max_iter = 100, and ϵ = 2/255.
-Projected Gradient Descent Infinite (PGD Inf) [55] is a white-box attack that is similar to the BIM attack, but with some key differences.In PGD Inf, the initial adversarial image is not set to the original image X, but rather to a random point within an L p -ball around X. The distance between X and X adv is measured using the L norm .For our experiments, we set the norm parameter to ∞, which indicates the use of the L ∞ norm.We also set the step size parameter eps_step to 0.1, the batch size to 32, and the maximum perturbation magnitude ϵ to 8/255.

Experimental Results of the Noise Blowing-Up Method
The experiments, following the process implemented in Scheme (11), essentially proceed in two phases for each CNN listed in Table 1, and for each attack and each scenario specified in Table 4.
Phase 1, whose results are given in Section 5.1, mainly deals with running atk scenario

R,C
on degraded images in the R domain.It corresponds to Step 3 of Scheme (11).The results of these experiments are interpreted in Section 5.2.
Remark.-It is worthwhile noting that Step 3, which is, of course, mandatory in the whole process, should be considered an independent feature of the noise blowing-up strategy.Indeed, although its results are necessary for the experiments performed in the subsequent steps, the success or failure of Phase 1 measures the success or failure of the considered attack (EA, AdvGAN, BIM, etc.) for the considered scenario (target or untarget) in its usual environment (the low-resolution R domain).In other words, the outcomes of Phase 1 do not assess in any way the success or failure of the noise blowing-up strategy.This very aspect is addressed in the experiments performed in Phase 2.
Phase 2, whose results are given in Section 5.3, indeed encapsulates the essence of running atk scenario H,C via the blowing-up of the adversarial noise from R to H.It corresponds to Steps 4 to 8 of Scheme (11).The results of these experiments are interpreted in Section 5.4.

R,C
Table 5 summarizes the outcome of running the attacks atk scenario R,C k on the 100 clean ancestor images ρ(A p q ) ∈ R, obtained by degrading, with ρ = "Lanczos" function, the HR clean images A p q represented in Figure A1, against the 10 CNNs C 1 , • • • , C 10 , either for the untarget scenario, or for the (c a , c t ) target scenario.
Table 5 gives the number of successfully generated adversarial images in the R domain created by seven attacks against 10 CNNs, for either the targeted (targ) or the untargeted (untarg) scenario.In the last three rows, the maximum, minimum, and average dominant label values achieved by each successful targeted/untargeted attack are reported across all CNNs.

Interpretation of the Results of Phase 1
Except for SimBA and FGSM for the target scenario, one sees that all attacks are performing well for both scenarios.Given SimBA and FGSM's poor performance in generating adversarial images for the target scenario (see Remark at the beginning of this Section), we decided to exclude them from the subsequent noise blowing-up strategy for the target scenario.
The analysis of the average dominant label values reveals as expected that white-box attacks usually create very strong adversarial images.This is the case for BIM, PGD Inf, and PGD L2 in both the targeted and untargeted scenarios.A contrario but also as expected, black-box attacks (EA, AdvGan for both scenarios, and SimBA for the untarget scenario) achieved lower label values for the target scenario and significantly lower label value of the dominant category for the untarget scenario.This specific issue (or, better said, its consequences as reported in Sections 5.3 and 5.4) is addressed in Section 6.

H,C
For the relevant adversarial images kept from Table 5, one proceeds with the remaining steps of Scheme (11) with the extraction of the adversarial noise in the R domain, its blowing-up to the H domain, its addition to the clean HR corresponding image, and the classification by the CNN of the resulting tentative adversarial image.
The speed of the noise blowing-up method is directly impacted by the size of the clean high-resolution image (as pointed out in [31]).Therefore, representative HR clean images of large size and small sizes are required to assess the additional computational cost (both in absolute and relative terms) involved by the noise blowing-up method.To ensure a fair comparison across various attacks and CNNs, we selected for each scenario (targeted or untargeted) HR clean images where all attacks successfully generated HR adversarial images against 10 CNNs.This led to the images referred to in Table 6 (the Table indicates their respective sizes h × w).The performance of the noise blowing-up method is summarized in Table 7 Please revise all mentions according to requested style and ensure all tables are mentioned in numerical order.for adversarial images generated by atk targeted H,C for reasons given in Section 5.2).The adversarial images in R used for these experiments are those referred to in Table 5.

, and in
For each relevant attack and CNN, the measures of a series of outcomes are given in Tables 7 and 8.
Regarding targeted attacks (the five attacks EA, AdvGAN, BIM, PGD Inf, and PGD L2 are considered) as summarized in Table 7, the row c a f t = c be f (and = c t ) gives the number of adversarial images for which the noise blowing-up strategy succeeded.The row SR gives the resulting success rate in % (For example, with EA and C 1 , SR = 81 89 = 91%).The row c a f t ̸ = c be f reports the number of adversarial images for which the noise blowing-up strategy failed.The row c a f t = c a reports the number of images, among those that failed, that are classified back to c a .The row L C gives the mean value of the loss function (see Section 3.2) for the adversarial images that succeeded, namely those referred to in the row c a f t = c be f .Relevant sums or average values are given in the last column.
Regarding untargeted attacks (the seven attacks are considered) as summarized in Table 8, the row c a f t ̸ = c a gives the number of adversarial images for which the noise blowing-up strategy succeeded, and the row SR gives the resulting success rate.The row c a f t = c be f reports the number of images, among those that succeeded, that are classified in the same category as the adversarial image obtained in Phase 1.The row c a f t = c a reports the number of images for which the strategy failed.Relevant sums or average values are given in the last column.
To assess the visual imperceptibility of adversarial images compared to clean images, we utilize L p -norms and FID values (see Section 3.2).The average (Avg) and standard deviation (StDev) values of the L p -norms and FID values, across all CNNs for each attack, are provided for both targeted and untargeted scenarios in Tables 9 and 10, respectively (see Tables A6 and A7 for detailed report of FID values).Table 9 considers only the successful adversarial images provided in Table 7, namely those identified by c a f t = c be f , provided their number is statistically relevant (what leads to the exclusion of AdvGAN images).Table 10 considers only the successful adversarial images obtained in Table 8, namely those identified by c a f t ̸ = c a (all considered attacks lead to a number of adversarial images that is statistically relevant).This is indicated by the pair "atk/# of adversarial images used".Tables 9 and 10 also provide an assessment of the visual impact of the resizing functions ρ and λ on the considered clean images for which adversarial images are obtained by atk.
Table 7. Performance of the Noise blowing-up strategy on adversarial images generated with attacks for the targeted scenario (c a , c be f ) (with c be f = c t ) against 10 CNNs.The symbol ↑ (resp.↓) indicates the higher (resp.the lower) the value the better.Under these conditions, Table 11 for the target scenario (respectively Table 12 for the untarget scenario) provides the execution times in seconds (averaged over the 10 CNNs for each attack and scenario) for each step of the noise blowing-up method, as described in Scheme (11), for the generation of HR adversarial images from large A 10 1 and small A 1 2 HR clean images (respectively large A 9  6 and small A 4 8 HR clean images).The Overhead column provides the time of the noise blowing-up method per se, namely computed as the cumulative time of all steps of Scheme (11) except Step 3. The ‰ column displays the relative per mille additional time of the overhead of the noise blowing-up method as compared to the underlying attack atk performed in Step 3.        (11) for the generation of HR adversarial images for the HR clean images A 9 6 and A 4 8 .The Overhead column provides the cumulative time of all steps except Step 3. The ‰ column displays the relative per mille additional time of the Overhead as compared to the time required by atk performed in Step 3.

Interpretation of the Results of Phase 2
In the targeted scenario, the noise blowing-up strategy achieved an overall average success rate (overall attacks and CNNs) of 74.7% (see Table 7).
Notably, the strategy performed close to perfection with PGD Inf, achieving an average success rate of 99.2% (and minimal loss of 0.009).The strategy performed also very well with PGD L2, EA, and BIM, with average success rates of 93.2%, 91.5%, and 88.6%, respectively.In contrast, the strategy performed poorly with AdvGAN, achieving a success rate oscillating between 0% (for 8 CNNs) and 8.7%, leading to an average success rate of 0.9%.
The reason for the success of the noise blowing-up strategy for PGD Inf, PGD L2, EA and BIM, and its failure for AdvGAN is essentially due to the behavior, for these attacks, of the average label values of the dominant categories obtained in Table 5, hence is due to a phenomenon occurring before the noise blowing-up process per se.
The adversarial noises, obtained after Phase 1 (in the R domain) by all attacks except AdvGAN, are particularly robust, and "survive" the Phase 2 treatment: The noise blowing-up process did not significantly reduce their adversarial properties legacy, and the derived adversarial images, obtained after the noise blowing-up process, remained in the target category.
The situation differs for AdvGAN: After Phase 1, the target category is only modestly dominating other categories, and one (or more) other categories achieve only slightly weaker label values than the dominating target category.Consequently, the adversarial noise becomes highly susceptible to even minor perturbations, with the effect that these perturbations can easily cause transitions between categories.
In the untargeted scenario, the noise blowing-up strategy achieved an overall average success rate (overall attacks and CNNs) of 63.9% (see Table 8).
The reason for these differences in the successes of the strategy according to the considered attacks is the same as seen before in the target scenario: the behavior of the average label values of the dominating category obtained in Table 5 (hence, in this case too, before the noise blowing-up process).
The adversarial noises, obtained after Phase 1 by all white-box attacks, are particularly robust, and those obtained by all black-box attacks are less resilient.In this latter case, the adversarial noise leveraged to create the tentative adversarial image by the noise blowing-up process is much more sensitive to minor perturbations, with similar consequences as those already encountered in the target scenario.

Visual quality of the adversarial images:
The values of L norm,adv 0,R in Table 9 (resp.Table 10) show that the attacks performed for the target scenario manipulate on average 82% of the pixels of the downsized (hence in R) clean image (resp.94% for the untarget scenario).
Nevertheless, the values of L norm,adv 0,H in both tables (hence in the larger H domain, after the noise blowing-up process) are lower, with an overall average of 74% for the targeted scenario (resp.83% for the untargeted scenario).This trend is consistent across all L p values (p = 0, 1, 2, ∞), with L norm,adv p,R generally higher than the corresponding L norm,adv p,H values for all attacks (the values are closely aligned, though, for p = ∞).
Additionally, FID adv H values, comparing clean and adversarial images obtained by the noise blowing-up method, ranging between 5.3 (achieved by BIM) and 17.6 in the targeted scenario (with average 11.1, see Table 9), and between 3.7 (achieved by EA) and 49.5 in the untargeted scenario (with average 16.5, see Table 10), are significantly low (it is not uncommon to have values in the range 300-500).In other words, the adversarial images maintain a visual quality and proximity to their clean counterparts.
It is important to highlight that the simple operation of scaling down and up the clean images results in even larger L norm,clean p,H values than L norm,adv p,H for p = 0, 1, ∞ for all attacks and scenarios (see Tables 9 and 10; note that the values for p = 2 are too small to assess the phenomenon described above).When one compares FID clean H to FID adv H , the same phenomenon occurs for three out of 4 targeted attacks (EA is the exception), and for five out of 7 untargeted attacks (FGSM and PGD Inf being the exceptions).
Said otherwise, the interpolation techniques usually cause more visual damage than the attacks themselves, at least as measured by these indicators.

Speed of the noise blowing-up method:
The outcomes of Tables 11 and 12 for the overhead of the noise blowing-up method (all steps except Step 3) and its relative cost as compared to the actual attack (performed in Step 3) are twofold.
Firstly, the performance of the noise blowing-up strategy depends on the size of the image: It is substantially faster (between 3.24 times and 6.31 times on average) for smaller than for larger HR clean images.
Secondly, and this is probably the most important outcome of both, the noise blowingup method demonstrates exceptional speed both in absolute and in relative terms, and consequently an exceptionally minimal overhead, even for large-size HR clean images.
Indeed, the overhead ranges between 0.100 s and 0.757 s on average over 10 CNNs (0.100 s achieved in the untargeted scenario for atk = PGD Inf and A 4 8 ; 0.757 seconds achieved in the targeted scenario for atk = EA and A 10 1 ).This is to compare to the extreme timing values of the attacks performed in Step 3, ranging between 58.1 and 848.7 s all in all (and ranging between 81.8 and 848.7 s for the cases related to the 0.100 and 0.757 s referred to).
Looking at the relative weight of the overhead as compared to atk is even more saying: It ranges between 0.28‰and 12.75‰, hence is almost negligible.

Revisiting the Failed Cases with ∆ C
The summary of Section 5.4 is essentially threefold.Firstly, the noise blowing-up strategy performs very well and with a negligible timing overhead in the target scenario for all five relevant attacks except AdvGAN, and in the untargeted scenario for all four white-box attacks but not for the three black-box attacks.Secondly, the poor performances of the strategy for AdvGAN (target scenario and untargeted scenario), EA (untargeted scenario), and SimBA (untargeted scenario) are essentially due to too low requirements put on these attacks during Phase 1 (Step 3 of Scheme (11), hence ahead of the noise blowing-up process).Thirdly, although between 74% and 83% of the pixels are modified on average, the adversarial images remain visually very close to their corresponding clean images, and actually and surprisingly the attacks themselves tend to reduce the differences introduced by the interpolation functions.
We revisit these failed cases and make use of the Delta function ∆ C introduced in Section 3.2 for this purpose.Indeed, we identified the origin of the encountered issues as essentially due to the too low distance between the label values of the dominating category and its closest competitors, hence due to a very small value of ∆ C for the considered images and CNNs.
Given A hr a and A a (Step 1), and c a (Step 2), we study in this Subsection how setting the increase of the values of ∆ C as a requirement in Step 3 of Scheme (11) impacts the success rate of the noise blowing-up strategy for the failed cases.Note that putting additional requirements on ∆ C may lead to lesser adversarial images at the end of Phase 1 as ∆ C increases.
We limit this study to atk = EA (untargeted scenario) and atk = AdvGAN (untargeted and target scenario).We regrettably exclude SimBA since we do not have access to its code.

Revisiting the Failed Cases in Both Scenarios
The untargeted scenario revisited for atk = EA and atk = AdvGAN.The new consideration of the failed cases proceeds by taking a hybrid approach in Step 3, leading to two successive sub-steps Step 3(a) and Step 3(b).
Step 3(a) consists in running atk untarget R,C until it succeeds in creating a first adversarial image in R classified outside the ancestor category c a .The obtained category c be f ̸ = c a is therefore the most promising category outside c a .
In Step 3(b), we change the version of the attack and run atk target R,C on the adversarial image obtained at the end of Step 3(a) for the target scenario (c a , c be f ), with a (more demanding) stop condition defined by a threshold value on ∆ C set at will.
Remarks: (1) To summarize this hybrid approach, Step 3(a) identifies the most promising category c be f outside c a (and does so by "pushing down" the c a label value until another category c be f shows up), and Step 3(b) "pushes further" the attack in the direction of c be f until the label value of this dominant category is sufficiently ahead of all other competitors.
(2) Although this hybrid approach mixes the untargeted and the target versions of the attack (be it EA or AdvGAN), it fits the untargeted attack scenario nevertheless.Indeed, the category c be f ̸ = c a is not chosen a priori as would be the case in the target scenario but is obtained alongside the attack, and is an outcome of atk untarget R,C . The target scenario revisited for atk = AdvGAN.We address the failed cases by requiring in Step 3 of Scheme (11), that DC target (A a ) ∈ R is classified in c t and that ∆ C (A hr a ) is large enough.

Outcome of Revisiting the Failed Cases
One constructs the graph of the evolution of the success rate (y-axis, in %) of the noise blowing-up strategy performed for the considered attack for the untargeted scenario according to step-wise increasing values (x-axis) set to ∆ C .
Figure 4 for atk = EA (untargeted scenario), Figure 5 for atk = AdvGAN (untargeted scenario) and Figure 6 for atk = AdvGAN (targeted scenario) picture this evolution for an example, namely C 4 -MobileNet (a), on average over the 10 CNNs (b), and per CNN for all considered images (c).
UT (resp.T) in (a) and (b) of Figures 4 and 5 (resp. of Figure 6) recalls the "original" success rate achieved by the noise blowing-up method in creating adversarial images without putting extra conditions on ∆ C (see Table 8, resp.Table 7).The values at the top of the Figures are the number of images obtained after Phase 1, as ∆ C increases.
Detailed reports for each CNN can be found in the Appendix C, Figures A2-A4.
In the untargeted scenario for atk = EA, the approach adopted for the revisited failed cases turns out to be overwhelmingly successful, and this in a uniform way over the 10 CNNs.The overall number of considered images drops only by 0.6%, namely from 920 to 914 (in the example of C 4 , this drop is of one image only), while the success rate drastically increases from an original 9.9% to 98.7%.In the example of C 4 , the success rate increases from 11.7% to 98.9%; a success rate of 100% is even achieved for six out of 10 CNNs, even for moderate values of ∆ C .In the untargeted scenario for atk = AdvGAN, the approach is also successful, but to a lesser extent, and with variations among the CNNs.The overall number of considered images drops by 43%, namely from 876 to 500 images (in the example of C 4 , this drop amounts to 22 images, hence almost 27% less images), while the success rate increases from an original 9.9% to 73.1% (in the example of C 4 , the success rate increases from 4.9% to 71.2%).Apart from C 2 and C 5 , where the success rate of the revisited method achieves at most 50% and 25.8%, all CNNs are reasonably well deceived by the method; the success rate achieves even 100% for two of them, and this for moderate values of ∆ C .
In the targeted scenario, for atk = AdvGAN, the approach also proves useful, but to a lesser extent as above, and with larger variations among the CNNs.The overall number of considered images drops by 21%, namely from 758 to 594 images (from 88 to 72 images, hence almost 18% less images for C 4 ), while the success rate increases from an original 0.3% to 50.8% (in the example of C 4 , the success rate increases from 0% to 34.7%).It is worthwhile noting that the method works to perfection with a success rate reaching 100% for two CNNs (C 9 and C 10 ), even with a moderate ∆ C value.
Table 13 summarizes the outcomes of the numerical experiments when ∆ C is set to the demanding value 0.55.As a consequence, it is advisable to set (for Phase 1, Step 3) τc be f to 0.78 for EA untarg , to 0.76 for AdvGAN targ , and to 0.79 for AdvGAN untarg to be on the safe side (these values exceed the maxima referred to in Table 13).Finally, experiments show that the visual quality of the HR adversarial images obtained by the revised method remains outstanding.We illustrate this statement in Figure 7 on an example, where ∆ C is set to 0.55 (the highest and most demanding value considered in the present study), and the CNN is C 4 .In Figure 7, (a) represents the HR clean image A 3 2 classified by C 4 as belonging to the "acorn" category with corresponding label value 0.90, (b) the adversarial image created by the strategy applied to the EA attack in the untargeted scenario (classified as "snail" with label value 0.61), (c) the adversarial image created by the strategy with AdvGAN in the untargeted scenario (classified as "dung beetle" with label value 0.55), and (d) the adversarial image created by the strategy with AdvGAN in the targeted scenario (classified as "rhinoceros beetle" with label value 0.43).The images speak for themselves as far as visual quality is concerned.

Comparison of the Lifting Method and of the Noise Blowing-Up Method
This section provides a comparison between the outcomes of our adversarial noise blowing-up strategy and those of the lifting method introduced in [29,30].
We shall see on three highly challenging examples, that the noise blowing-up strategy leads to a substantial visual quality gain as compared with the lifting method of [29,30] (both strategies achieve comparable and negligible timing overheads as compared to the actual underlying attacks performed).Indeed, the visual quality gain is particularly flagrant when one zooms on some areas that remained visually problematic with the method used in [29,30].

The Three HR Images, the CNN, the Attack, the Scenario
We make here a case study with three HR images (two of which have been considered in [31]), with C = VGG-16 trained on ImageNet, for the EA-based black-box targeted attack given in Section 4.4.
The three HR pictures are represented in Table 14.They are the comics Spiderman picture (A hr 1 retrieved from the Internet and under Creative Commons License), an artistic picture graciously provided by the French artist Speedy Graphito (A hr 2 pictured in [56]) and Hippopotamus image (A hr 3 = A 2 7 ) taken from Figure A1.An advantage of adding artistic images is that, while a human may have difficulties in classifying them in any category, CNNs do it.Table 14.Three clean HR images A hr a , their original size, the classification of VGG-16 as (c a , τ a ) of their reduced versions ρ(A hr a ) (with ρ = "Lanczos"), and the target category.

Implementation and Outcomes
Regarding implementation issues, we use (ρ, λ) = (Lanczos, Lanczos) for both the lifting method of [29,30] and the noise blowing-up method presented here, whenever needed.
In terms of the steps described in Section 3.1, note that both strategies coincide up to Step 3 included, and start to differ from Step 4 on.In particular, the attack process (Step 3) in the R domain is the same for both strategies.In the present case, one shall apply the EA-based targeted attack in the R domain, with the aim to create a 0.55-strong adversarial image.In other words, τbe f ≥ 0.55 (with notations consistent with Section 3).This process succeeded for the three examples.
Figures 8-10 provide a visual comparison (both globally and on some zoomed area) of a series of images in the H domain for a = 1, 2, 3, respectively: (a) the clean image A hr a , (b) the non-adversarial resized image λ • ρ(A hr a ), (c) the adversarial image in H obtained by the lifting method of [29,30], (d) the adversarial image in H obtained by the noise blowing-up method.The non-adversarial image referred to in (b) remains classified by C in the c a category, and the adversarial images referred to in (c) and (d) are classified in the c t category mentioned in Table 14, with c t -label values indicated in the Figures.
With notations consistent with Tables 9 and 10, and with the exponent adv, li f t, and adv, noise indicating respectively that the adversarial images are obtained via the lifting method, and by the noise blowing-up method respectively, Table 15 gives   Figures 8-10 show that, at some distance, both the non-adversarial resized image (b) and the HR adversarial images (c) and (d) seem to have a good visual quality as compared to the HR clean image (a).However, the zoomed areas show that details from the HR clean images become blurry in the HR adversarial images obtained by the lifting method (c) and in the non-adversarial resized images (b).Moreover, a human eye is not able to distinguish the blurriness that occurs in (b) from the one that shows up in (c): The loss of visual quality looks the same in both cases.However, a loss of visual quality does not occur (at least to the same extent) in the HR adversarial images obtained by the noise blowing-up method (d).These observations are also sustained numerically by and FID adv,noise H achieve much smaller values than their above counterparts.In particular, we see and measure in these examples, that the noise blowing-up method largely compensates for the negative visual impact of the resizing interpolation functions.
In other words, the adversarial images displayed by the noise blowing-up method in (d) are visually very close to the original clean images (a), while the adversarial images displayed by the lifting method in (c) are visually very close to the non-adversarial resized images in (b).
These experiments strongly speak in favor of our noise blowing-up method, despite the fact that interpolation scaling-up methods λ result in a loss of high-frequency features in the H domain (as seen in (b) and (c)).More precisely, our noise blowing-up method essentially avoids (and even corrects, as shows the behavior of by L p and FID values) this later issue, while the lifting method does not.

Conclusions
In this extensive study, we exposed in detail the noise blowing-up strategy to create high-quality high-resolution images adversarial against convolutional neural networks, and indistinguishable from the original clean images.
This strategy is designed to apply to any attack (black-box or white-box), to any scenario (targeted or untargeted scenario), to any CNN, and to any clean image.
We performed an extensive experimental study on 10 state-of-the-art and diverse CNNs, with 100 high-resolution clean images, three black-box (EA, AdvGAN, SimBA), and four white-box (FGSM, BIM, PGD Inf, PGD L2) attacks, applied in the target and the untarget scenario whenever possible.
This led to the construction of 4110 adversarial images for the target scenario and 3996 adversarial images for the untarget scenario.Therefore, the noise blowing-up method achieved an overall average success rate of 74.7% in the target scenario, and of 63.9% in the untarget scenario; the strategy performing perfectly or close to perfection (with a success rate of 100% or close to it) for many attacks.
We then focused on the failed cases.We showed that a minor additional requirement in one step of the strategy led to a substantial success rate increase (e.g., from circa 9.9% to 98.7% in the untarget scenario for the EA attack).
All along, we showed that the additional time required to perform our noise blowingup strategy is negligible as compared to the actual cost of the underlying attack on which the strategy applies.
Finally, we compared our noise blowing-up method to another generic method, namely the lifting method.We showed that the visual quality and indistinguishability of the adversarial images obtained by our noise blowing-up strategy substantially outperform those of the adversarial images obtained by the lifting method.We also showed that applying our noise blowing-up strategy substantially corrects some visual blurriness artifacts caused natively by interpolation resizing functions.
Clearly, the noise blowing-up strategy, which essentially amounts to the addition to the clean high-resolution image of one layer of "substantial" adversarial noise, blown-up from R to H, is subject to a series of refinements and variants.For instance, one may instead consider adding to the clean image several "thin" layers of "moderate" blown-up adversarial noise.This would present at least two advantages.Firstly, one can parallelize this process.Secondly, depending on how adding different layers of adversarial noise impacts the overall τ c a f t -value, one could consider relaxing the expectations on the τc be f value for each run of the attack in the R domain, and still meet τ c a f t and ∆ C preset thresholds by adding up wisely the successive layers of noise.Both advantages may lead to a substantial speed-up of the process, and potentially to an increased visual quality.One could also consider applying the strategy to the flat scenario, where all ℓ label values are almost equidistributed, henceforth the CNN considers that all categories are almost equally likely (even this variant admits variants, e.g., where one specifies a number 2 ≤ x ≤ ℓ of dominating categories for which the attack would create an appropriate flatness).
Another promising direction comes from the observation that in the present method as well as in the method introduced in [29,30], the considered attacks explore a priori the whole image space.In future work, we intend to explore the possibility of restricting the size of the zones to explore.Provided the kept zones are meaningful (in a sense to be defined), one could that way design an additional generic method which, combined with the one presented in this paper, could lead, at a lower computational cost, to highresolution adversarial images of very good quality, especially if one pays attention to high-frequency areas.
Table A2.In Step 1 and 2 of Scheme (11), the Lanczos degrading interpolation function is employed for resizing images to match the input size of CNNs before they are fed into the CNNs.For 1 ≤ p ≤ 10, the ancestor category c a q -label values given by the 10 CNNs of the image A p q pictured in Figure A1.A label value in red indicates that the category c a q is not the dominant one.(11), the Nearest degrading interpolation function is employed for resizing images to match the input size of CNNs before they are fed into the CNNs.For 1 ≤ p ≤ 10, the ancestor category c a q -label values given by the 10 CNNs of the image A p q pictured in Figure A1.A label value in red indicates that the category c a q is not the dominant one.[29,30] showed the sensitivity of tentative adversarial images to the choice of the degrading and enlarging functions.In the present Appendix B, we, therefore, want to find out which degrading and enlarging functions ρ and λ, and which combination (ρ, λ, ρ), used in Scheme (11), provide the best outcome in terms of image quality and of adversity.For this purpose, we perform a case study.

CNNs
Based on the results of [29,30], the study is limited to the consideration of the "Lanczos" (L) and "Nearest" (N) functions, either for the degrading function ρ or for the enlarging function λ.This leads to 8 combinations for (ρ, λ, ρ), namely (with obvious notations) L-L-L, L-L-N, L-N-L, N-L-L, L-N-N, N-L-N, N-N-L and N-N-N.
For each such combination (ρ, λ, ρ), the study is performed on the 100 clean images A p q represented in Figure A1, with the EA-based targeted attack against the CNN C = C 9 = VGG-16, according to the pairs (c a , c t ) specified in Table 2.However, although the images A p q are picked from the ImageNet validation set in the categories c a q , VGG-16 does not systematically classify all of them in the "correct" category c a q in the process of Steps 1 and 2 of Scheme (11).Indeed, Tables A2 and A3 in Appendix A show that VGG-16 classifies "correctly" only 93 clean images A p q , and classifies "wrongly" 7 when the degrading function used in Step 1 is ρ = L or is ρ = N.Let us observe that although the number of "correctly" classified and of "wrongly" classified images are the same independently on the ρ function used, the actual such images A p q are not necessarily the same.The rest of the experiments are therefore performed on the set S VGG-16 clean (ρ) = 93 of "correctly" classified clean images.
With this setting, the targeted attack aims at creating 0.55-strong adversarial images in the R domain (hence meaning that it aims at creating images for which τt ≥ 0.55).
As explained in Section 4.4, the attack succeeds when a 0.55-strong adversarial image in the R domain is obtained within 10,000 generations.In the present case study, we also keep track of the unsuccessful such attacks.More precisely, for the S VGG-16 clean (ρ) = 93 images considered, we also report the cases where either the best tentative adversarial image in the R domain, obtained after 10,000 generations, is classified in c t but with a label value <0.55, or is classified in a category c ̸ = c a , c t , or is classified back to c = c a .
Note en passant that, although unsuccessful for the 0.55-target scenario, the attack in the R domain is successful at creating good enough adversarial images in the first case considered in the previous paragraph, respectively for the untarget scenario in the second case.
In the present study, Scheme (11) continues with Steps 4 to 8 only for the adversarial images that correspond to the first or the second component of the quadruplet in R, namely those obtained in Step 3 that are classified in c t .Note that we compute the average of the τc = τt for these images.
At the end of Step 8, we collect the following data: the number of HR tentative adversarial images classified in c t (hence adversarial for the target scenario), classified in c ̸ = c a , c t (hence adversarial for the untarget scenario), classified back in c a (not adversarial at all).For the images that remain in c t or c ̸ = c a , c t , we report their c t -label values τ t , the value of the loss function, and the values of the two L p distances where p = 0, 1, 2, ∞ (written as L p,R and L p,H to simplify the notations) as specified in Section 3.2.
The outcomes of these experiments are summarized in Tables A4 and A5 for all (ρ, λ, ρ) combinations.Comprehensive reports on these experiments can be accessed via the following link: https://github.com/aliotopal/Noise_blowing_up(accessed on 14 April 2024).
Table A4.The average, maximum, and minimum dominant category label values before and after the application of the noise blowing-up technique ( τc , τ), along with L p norms (where p = 0, 1, 2, ∞) and loss L for each combination of (ρ, λ, ρ).In this summary, the calculations include good-enough adversarial images.

ρ, λ, ρ
Step 1-3 Step 4-8 Table A5 summarizes the main findings from the comparison study for different interpolation techniques.The table includes information on the interpolation methods utilized, Lanczos (L) and Nearest (N), which are shown in Column 1.The remaining columns present the following data: Column 2: the number of adversarial images used for testing noise blowing-up technique, Column 3: the number of images classified in the target category, Column 4: the number of images that remained adversarial in the untargeted category, Column 5: the number of images classified in the ancestor category after employing the noise blowing-up technique, and Column 6: the resulting average loss in target category dominance.
Table A4 indicates that there are no significant differences observed when using different combinations of (ρ, λ, ρ) in relation to L p norms (where p = 0, 1, 2, ∞).However, Table A5 demonstrates that the combination of L-L-L produces optimal results in terms of both the loss function (L) and the number of adversarial images remaining in the target category (c t ) when utilizing the noise blowing-up technique for generating high-resolution adversarial images.Therefore, in our experiments (see Scheme ( 11)), we employ the L-L-L combination for (ρ, λ, ρ).
Table A5.The table presents the results of a case study conducted on 92 adversarial images obtained with EA target,C for C = VGG-16 and τt ≥ 0.55 (with notations consistent with Section 3).The technique involves manipulating the adversarial images by extracting noise and applying different combinations (ρ, λ, ρ) in Steps 1, 5, and 7 (see Section 3.1).

Figure 1 .
Figure 1.Standard attacks' process, where c a is the CNN's leading category of the clean resized image, and c ̸ = c a is the CNN's leading category of the adversarial image.

Figure 2 .
Figure 2. Direct attack process generating an adversarial image with the same size as the original clean image.

Figure 3 3 Figure 3 .
Figure 3. Examples of images for which the interpolation techniques cause more visual damage than the attacks themselves.Clean HR images A hr a in the 1st column; corresponding non-adversarial HR resized images λ • ρ(A hr a ) in the 2nd column, with values of L norm,clean p,H

55 Figure 4 .Figure 5 .
Figure 4. Performance of the noise blowing-up method for EA in the untargeted scenario with the increased strength of adversarial images: (a) specifically for C 4 , (b) averaged across 10 CNNs, and (c) overall report for all CNNs.In (a,b), ∆ C values are displayed at the bottom, and the resulting number of used images is at the top.

55 Figure 6 .
Figure 6.Performance of the noise blowing-up method for AdvGAN in the target scenario with the increased strength of adversarial images: (a) specifically for C 4 , (b) averaged across 10 CNNs, and (c) overall report for all CNNs.In (a,b), ∆ C values are displayed at the bottom, and the resulting number of used images is at the top.

Figure 7 .
Figure 7. Sample of HR adversarial images generated by the noise blowing-up strategy for the EA and AdvGAN attacks in the untargeted scenario, and the AdvGAN attack in the targeted scenario against C 4 = MobileNet, with ∆ C set to 0.55 in the R domain.Classification (dominant category and label value) of C 4 are displayed at the bottom.(a) Clean image acorn: 0.90.(b) EA untarg snail: 0.61.(c) AdvGAN untarg dung_beetle: 0.55.(d) AdvGAN targ rhinoceros_beetle: 0.43.
a numerical assessment of the visual quality of the different HR images (b), (c), (d) compared to the clean ones (a) of Figures 8-10, as measured by L p distances and FID values.

Figure 8 .Figure 9 .Figure 10 .
Figure 8. Visual comparison in the H domain of (a) the clean image A hr 1 , (b) its non-adversarial resized version, the adversarial image obtained with EA target,C for C = VGG-16, (c) by the lifting method of [29,30], and (d) by the noise blowing-up method.Both non-adversarial images are classified as "comic books", (a) with label value 0.49 and (b) with label value 0.45.Both HR adversarial images are classified as "altar", (c) with label value 0.52, and (d) with label value 0.41.

Figure A2 .
Figure A2.Evaluating the performance of the noise blowing-up method for EA in untargeted scenarios with the increased strength of adversarial images per each CNN.The charts display ∆ values at the bottom, along with the corresponding number of images used for the tests at the top.

Figure A3 .Figure A4 .
Figure A3.Evaluating the performance of the noise blowing-up method for AdvGAN in untargeted scenarios with the increased strength of adversarial images per each CNN.The charts display ∆ values at the bottom, along with the corresponding number of images used for the tests at the top.
) in the H domain.One writes FID adv H the corresponding values.In particular, when adversarial images are involved, the comparison of some of these values between what occurs in the R domain, and what occurs in the H domain gives an insight into the weight of the noise at each level, and of the noise propagation once blown-up.Additionally, we shall as well assess the ratio:

Table 1 .
The 10 CNNs trained on ImageNet, their number of parameters (in millions), and their Top-1 and Top-5 accuracy.

Table 2 .
For 1 ≤ p ≤ 10, the second column lists the ancestor category c a p and its ordinal 1 ≤ a p ≤ 1000 among the categories of ImageNet.Mutatis mutandis in the third column with the target category c t p and ordinal t p .
p(c a p , a p ) (c t p , t p )

Table 5 .
Number of successfully generated adversarial images in the R domain.

Table 6 .
Images employed for the assessment of the speed/overhead of the noise blowing-up method for each considered scenario and attack.

Table 8 .
Performance of the Noise blowing-up technique on adversarial images generated with untargeted attacks against 10 CNNs.The symbol ↑ (resp.↓) indicates the higher (resp.the lower) the value the better.

Table 9 .
Visual quality as assessed by L p -distances and FID values for the target scenario.

Table 10 .
Visual quality as assessed by L p -distances and FID values for the untargeted scenario.

Table 11 .
(11)he target scenario, for each considered attack atk, execution time (in seconds, averaged over the 10 CNNs) of each step of Scheme(11)for the generation of HR adversarial images for the HR clean images A 10 1 and A 1 2 .The Overhead column provides the cumulative time of all steps except Step 3. The ‰ column displays the relative per mille additional time of the Overhead as compared to the time required by atk performed in Step 3.

Table 12 .
In the untargeted scenario, for each considered attack atk, execution time (in seconds, averaged over the 10 CNNs) of each step of Scheme

Table 13 .
Minimum, maximum, and mean of the label values τc be f of adversarial images in the R domain (Phase 1, Step 3) when ∆ C is set to 0.55 per CNN.

Table 15 .
Numerical assessment of the visual quality of the different HR images (b), (c), (d) compared to the clean ones (a) of Figures 8-10, as measured by L p distances and FID values.

Table A3 .
In Step 1 and 2 of Scheme
Appendix B. Choice of (ρ, λ, ρ) Based on a Case StudyOur previous papers

Table A6 .
FID adv H values assessing the human imperceptibility of the crafted adversarial images for the target scenario.

Table A7 .
FID adv H values assessing the human imperceptibility of the crafted adversarial images for the untargeted scenario.