Online Social Networks (OSNs) have blossomed into prevailing transmission channels for images in the modern era. Adversarial examples (AEs) deliberately designed to mislead deep neural networks (DNNs) are found to be fragile against the inevitable lossy operations conducted by OSNs. As a result, the AEs would lose their attack capabilities after being transmitted over OSNs. In this work, we aim to design a new framework for generating robust AEs that can survive the OSN transmission; namely, the AEs before and after the OSN transmission both possess strong attack capabilities. To this end, we first propose a differentiable network termed SImulated OSN (SIO) to simulate the various operations conducted by an OSN. Specifically, the SIO network consists of two modules: 1) a differentiable JPEG layer for approximating the ubiquitous JPEG compression and 2) an encoder-decoder subnetwork for mimicking the remaining operations. Based upon the SIO network, we then formulate an optimization framework to generate robust AEs by enforcing model outputs with and without passing through the SIO to be both misled. Extensive experiments conducted over Facebook, WeChat and QQ demonstrate that our attack methods produce more robust AEs than existing approaches, especially under small distortion constraints; the performance gain in terms of Attack Success Rate (ASR) could be more than 60%. Furthermore, we build a public dataset containing more than 10,000 pairs of AEs processed by Facebook, WeChat or QQ, facilitating future research in the robust AEs generation. The dataset and code are available at https://github.com/csjunjun/RobustOSNAttack.git.

翻译：在线社交网络（OSNs）已成为现代图像传播的主流渠道。针对深度神经网络（DNNs）精心设计的对抗样本（AEs）在面对OSN不可避免的有损操作时表现出脆弱性，因此这些对抗样本在OSN传输后会丧失攻击能力。本研究旨在设计一种新框架，用于生成能够经受OSN传输的鲁棒对抗样本，即保证传输前后的对抗样本均具备强攻击能力。为此，我们首先提出一种名为模拟OSN（SIO）的可微网络，用于仿真OSN的各种操作。具体而言，SIO网络包含两个模块：1）可微JPEG层，用于模拟普遍存在的JPEG压缩；2）编码器-解码器子网络，用于模仿其余操作。基于SIO网络，我们进一步构建优化框架，通过强制模型输出在经/未经SIO处理时均产生误导，生成鲁棒对抗样本。在Facebook、微信和QQ平台上开展的大量实验表明：我们的攻击方法能生成比现有方法更鲁棒的对抗样本，尤其在低失真约束条件下表现突出，攻击成功率（ASR）提升可超过60%。此外，我们构建了包含超过10,000对经Facebook、微信或QQ处理后的对抗样本的公开数据集，以促进鲁棒对抗样本生成领域的后续研究。数据集与代码已开源至https://github.com/csjunjun/RobustOSNAttack.git。