Adversarial Attack Based on Perturbation of Contour Region to Evade Steganalysis-Based Detection

Deep neural networks (DNN) are applied in various fields because they afford good performance. However, they seem vulnerable to adversarial examples. Therefore, studies are actively investigating adversarial defenses to improve the robustness of DNNs as well as adversarial attacks to generate more intensive adversarial perturbations. Most existing attack methods excessively modify images by generating overly large distortions or adding perturbations to regions with little impact on the DNN. As a result, the local smoothness of images is not maintained, and changes can be easily detected using a steganalysis-based detector. In this study, we propose a contour attack method to evade steganalysis-based detection. This method extracts the contour region from an image and adds perturbations only to applicable regions, thus maintaining the local smoothness. It can solve the problems mentioned above and effectively evade steganalysis-based detectors. Our experimental results demonstrate that the local smoothness is better than that in the case of original attack methods and that the detection evasion rate for a steganalysis detector is up to 19.9% higher. Further, structural similarity (SSIM) measurements and image comparisons demonstrate the improved imperceptibility of perturbations. In particular, the SSIM values for images subjected to the contour attack are close to 1.0.


I. INTRODUCTION
Deep neural networks (DNN) have provided remarkable breakthroughs in various fields such as image classification [1], face recognition [2], self-driving cars [3], and radiology [4]. However, DNNs seem vulnerable to adversarial examples; therefore, studies are actively investigating this issue [5]. One adversarial example is an image with an imperceptible perturbation added to it; this may result in misclassification by the DNN. Gradient-based adversarial attacks have been studied using various techniques such as the limited-memory Broyden-Fletcher-Goldfarb-Shanno (L-BFGS) algorithm proposed in 2013 [6], fast gradient sign method (FGSM) [7], basic iterative method (BIM) [8], The associate editor coordinating the review of this manuscript and approving it for publication was Amin Zehtabian .
Studies have also investigated adversarial defenses to cope with adversarial attacks. For example, adversarial attacks have been prevented using concepts such as adversarial training [12], [13], defensive distillation [14], and filtering [15]. First, the adversarial training is performed to combine the loss for the original data with the loss for the adversarial data; consequently, the decision boundary is shifted while considering the adversarial example. This approach is a fast and simple defense method. Next, defensive distillation is performed with a confidence value derived by the DNNs instead of a true label. This approach can reduce the sensitivity of the DNNs to the input perturbation. Finally, filtering can mitigate the effect of adversarial perturbations to refine the input image. However, most of these defenses have some limitations. First, adversarial training suffers from problems such as an excessive increase in the size of the training dataset, decrease in the classification accuracy of the natural model [12], and vulnerability to other attacks that have not been trained for [16]. Second, defensive distillation provides limited defense against adversarial attacks [10]. Lastly, filtering-based defense methods are vulnerable to adaptive attacks [17]. Therefore, researchers are now focusing on detection-based defense methods such as noise reduction [18], feature squeezing [19], and steganalysisbased detection [20].
Steganalysis-based detection involves extracting steganalysis feature sets from an original image and an adversarial image, training the machine learning detector using them, and finally using binary classification to judge whether the image is perturbed or not. When adversarial images are detected using this method, the key criterion is the local smoothness. Local smoothness refers to the small intensity difference between adjacent pixels, and it is an important factor in natural images. For example, studies have used a subtractive pixel adjacency matrix (SPAM) [21] or a spatial rich model (SRM) [22] as steganalysis feature sets; both these approaches are based on the dependency between two adjacent pixels and whether they are perturbed or not. Most distance-based adversarial attacks [7], [8], [10] do not consider the dependency between adjacent pixels and calculate the perturbation size independently for each pixel. Adversarial perturbations added to particular parts of a smooth region (e.g., sea, solid-colored wall, etc.) in images destroy the local smoothness of the image. Therefore, they can be detected easily by steganalysis-based detection. This detection method outperforms original detectors [18], [19], [23]. In particular, a detector based on SRM feature sets exhibits a high detection rate for the intensive C&W attack. However, this method is vulnerable to adversarial attacks that consider the local smoothness property.
Moreover, the attackers should consider another property, called ''imperceptibility,'' to generate more subtle adversarial images. If an adversarial image generated by the existing attack method does not consider the imperceptibility, it may be detected by human eyes easily. In other words, such attacks are not effective methods. Therefore, several researchers have studied imperceptible adversarial attacks [24], [25]. However, these methods also have visible distortion against the original image although the imperceptibility is improved.
In this study, we propose a contour attack to evade steganalysis-based detection. This approach can improve the imperceptibility of perturbations and reduce the amount of distortion. Our main idea is to avoid adding perturbations to smooth regions where the RGB values of adjacent pixels are similar; instead, perturbations are added to contour regions where the RGB values of adjacent pixels are different. In this manner, smooth regions can be preserved. Toward this end, we propose a simple algorithm for extracting contour regions. Then, we preserve the parts excluded from the contour region and perturb the contour region using the original attack methods. This study makes the following contributions: • We propose a methodology that can evade steganalysisbased detection by exploiting its vulnerability to attacks that consider the local smoothness property. We discuss the limitations of steganalysis-based detection through the visualization of steganalysis feature sets. Our method can maintain the local smoothness better than existing attack methods can.
• We validate the performance of our proposed attack against steganalysis-based detection in terms of the attack success rate, amount of distortion, and perturbation size based on the L p distance and color distance. Our experimental results indicate that our attack has 19.9% higher detection evasion rate against steganalysis-based detection while maintaining its attack success rate. Further, the amount of distortion was reduced up to 126,584 for FGSM. We analyzed the basis of variation with perturbation size for each attack. Finally, we demonstrated the efficiency of our attack method through comparisons with existing attack methods.
• Through image visualization and statistical metrics like structural similarity (SSIM), we demonstrated that our attack method has higher imperceptibility compared with existing methods. Notably, the evaluation using SSIM is not a standard assessment in the field of adversarial attacks. However, it may provide an idea about real-world applications. Additionally, the contour region can serve as a new perturbation space for generating an adversarial attack in images. The remainder of this paper is organized as follows. Section 2 discusses existing adversarial attack methods that we use as a baseline before introducing our proposed contour attack. It also explains the steganalysis-based detection method proposed in [20]. Section 3 describes the proposed contour attack method and the process of how the original attack and the contour region are combined. Sections 4 and 5 respectively present the process and results of our experiments to measure the attack ability, robustness, and imperceptibility of our proposed attack. Finally, Sections 6 and 7 respectively summarize the performance and limitations of the proposed method.

II. BACKGROUND & RELATED WORK
A. ADVERSARIAL ATTACKS Adversarial attacks are of two main types. Untargeted attacks tend to be classified as classes other than the real class y true of the image. In this case, the purpose of an attack is set as C(x ) = y pred = y true , where C( * ) is the classification model based on a convolution neural network and x = x + η is the adversarial image obtained through the adversarial perturbation of the original image x. By contrast, targeted attacks tend to be misclassified x as particular classes y target |y target = y true , that is, C(x ) = y pred = y target . The present study focuses on untargeted attacks, and a future study will be focused on targeted attacks. VOLUME 9, 2021

1) FGSM
A previous study analyzed the vulnerability of the linear behavior of a DNN [7] and proved that an adversarial attack that adds a small perturbation in the original image. The FGSM proposed in this study updates each pixel value by the perturbation size in the direction of the loss gradient sign for the original image x of the classification model C( * ). In other words, x = x − × sign( x J (x, y t )). FGSM is used as a baseline attack in some studies because it is a one-step attack that requires less time.
2) BIM BIM [8] is an iterative attack that builds upon a previously proposed attack [7]. In each iteration, BIM adds a small perturbation of size α and crops the maximum perturbation size such that the size of perturbations does not exceed . In other words,

3) C&W ATTACK
The C&W attack [10] can effectively attack defensive distillation [14], a defense method proposed to strengthen neural networks against adversarial examples. It applies three distance metrics to calculate the distortion. Among these, L 2 norm-based attacks are studied most commonly. In each iteration, the C&W attack minimizes the calculated value of the L 2 distance between x and x and the difference value of the output logits Z in front of the softmax layer of C( * ). Specifically, this can be formulated as where c > 0 is a suitably chosen constant. k is the confidence value used to control the strength of an adversarial example. The larger the k value, the larger and more powerful are the added perturbations. Further, the smaller the k value, the smaller and more subtle are the added perturbations. The C&W attack has been used as one of the most powerful attack methods.

4) PERCEPTUAL COLOR DISTANCE (PerC) ATTACK
One study [24] proposed a new approach to realize more imperceptibility with high confidence. It perturbs an image by utilizing perceptual color distance breaks from the existing L p norm-based constraints in the RGB space. This study proposed two techniques: perceptual color distance C&W attack (PerC-C&W) and perceptual color distance alternating loss (PerC-AL). They generate an adversarial example through L 2 normalization in the CIELAB space [26], [27].
First, the PerC-C&W attack can be formulated as Clearly, this attack substitutes the perceptual color distance calculated through E 00 for the original L 2 distance and then simultaneously minimizes the distance value and classification loss. E 00 is standard formula CIEDE2000 [26], [27], and it can be formulated as where L , C , and H are the distances among the pixel values of lightness, chroma, and hue channel, respectively. R is an interactive term between the difference of chroma and hue. E 00 is more similar to the perceptual features of actual humans than the L 2 norm. Next, the PerC-AL attack is based on the decoupled direction and norm (DDN) [11], that is, L 2 norm-based iterative FGSM (I-FGSM). The DDN can succeed in the attack with fewer iterations compared with the existing C&W attack, and it can vary for each iteration. Further, it is calculated by separating the joint optimization, and it generates a powerful adversarial effect based on the gradient from the classification loss or decreases the L 2 loss for each iteration. PerC-AL minimizes the perceptual color distance instead of the L 2 loss of the existing DDN.
Besides, many researchers are actively studying the adversarial attack techniques from various perspectives. We introduce several attack methods in terms of imperceptibility. The authors of [28] proposed a superpixel-guided attentional adversarial attack method capable of preserving the local smoothness property along with the original attack ability. It was applied in L ∞ attacks such as FGSM [7], iterative FGSM [8], or momentum iterative FGSM [29] with superpixel algorithm and class activation mapping. They evaluated various adversarial defense methods such as the steganalysis-based detection method and image processingbased defense methods. The authors of [30] proposed FineFool, which can generate the perturbations around the contour region through the channel-spatial and pixel-spatial attention maps. The former focuses on the feature distribution and the latter focuses on the pixel region. They achieved high attack accuracy and verified the small distortion by measuring the L p distances. The authors of [31] proposed GreedyFool for generating an imperceptible and efficient perturbation map. They used L 0 normalization to implement a sparse attack, which is perturbed by only a few pixels, and adopted Generative Adversarial Example (GAN) to generate a small distortion map.

B. STEGANALYSIS-BASED DETECTION METHOD
The steganalysis-based detection method has been applied to detect adversarial examples by using SPAM and SRM feature sets [20]. Each feature set is described follows.

1) SPAM
SPAM is a low-dimensional model with 686 features [21]. It models the pixel difference in eight directions for each pixel by using a two-dimensional Markov chain [32]. When calculating the difference between the right pixel and the pixel X i,j , it first calculates the difference array where each x, y, z belongs to {−T , . . . , T }, respectively. T (=3 in this study) is a fixed value to reduce the dimensionality of the Markov matrix. If the difference between adjacent pixels is more than T , it is clipped in [−T , T ]. It finally results in an average sample Markov transition probability matrix F according to the calculation of the Markov matrix in eight directions.
where k is the number of total features. For a two-dimensional Markov matrix, k = (2T + 1) 3 is calculated. If T = 3, the number of total features is 2k = 686.

2) SRM
SRM is a high-dimensional model with 34,671 features [22]. It can be seen as an expanded version of SPAM, and it adds nonlinearity by introducing the concept of MinMax. In SRM, a filter that produces one feature set is called a submodel. It contains 45 submodels based on either SPAM or MinMax, and it extracts a noise residual R via each submodel filter. Next, it forms a cooccurrence matrix of horizontal and vertical pixels for the extracted Rs. Then, it eliminates the duplicate values in the cooccurrence matrix by using the symmetry of the image to reduce the dimensionality of the submodel and increase the statistical robustness. Finally, it classifies whether a feature is an adversarial example or not by training an ensemble classifier for the extracted features from each submodel. At this point, [20] is used as the ensemble classifier [33]. The detailed process of the SRM has been described in [22].

III. PROPOSED METHOD A. MOTIVATION
In Fig.1, the RGB values of adjacent pixels within the body of the object (shark) are very similar. By contrast, the RGB values of adjacent pixels between the object and the background (sea) are very different. The regions are clipped according to threshold (i.e., maximum value) T when calculating the Markov matrix for extracting the SPAM feature sets. Therefore, the perturbations for these regions can be added without strongly influencing and thereby changing the distribution of the steganalysis features. In addition, according to [25], adversarial perturbation has higher perceptibility in the low-variance region than in the high-variance region. However, most existing attack methods do not consider this property. Further, perturbations are often added in the low-variance region. However, we can judge the contour region in the high-variance region; therefore, if we perturbed only the contour region, the imperceptibility of these perturbations could be improved.

Algorithm 1 Extracting Contour Region
Input: Input Image X , Threshold t Function: zeros(a, b): Create a new array of (a, b) shape filled with zeros.  9:

end for
18: x con + = M 19: end for 20: x con = clip(x con , 0, 1) 21: return x con VOLUME 9, 2021 FIGURE 2. Pipeline of contour attacks. We input the image x, extract the contour region x con , and fix it in each iteration. We calculate the perturbation η in L p attacks. Then, we calculate x con × η + x and iterate for the output adversarial example x .

B. CONTOUR ATTACK
This study proposes a contour attack. This method adds adversarial perturbations to only the extracted contour regions via a simple algorithm to evade steganalysisbased detection. The pixel values of the original image are preserved in the other regions. This method can be applied to most existing attack methods like L ∞ norm-based attacks including FGSM and BIM and L 2 norm-based attacks including C&W and PerC attacks. Fig.2 shows the algorithm of our method. First, the contour region x con for the input image x is extracted. In an iterative attack, the contour region is not updated and the attack is performed on x con extracted in the first iteration. In each iteration, a perturbation is added only in the contour region by multiplying x con with the generated perturbation η via L p attacks. Finally, the output image x is generated.

1) EXTRACT CONTOUR REGION
Algorithm 1 describes the algorithm for extracting the contour region x con . Each pixel of an input image x is threechannel RGB data with a value between [0, 255], where H , W are the height and weight of x, respectively. To extract x con , we calculate the differences with adjacent pixels in eight directions for all pixels for each channel. Here, if any difference is greater than parameter t, it is set as 1 and otherwise it is set as 0. Then, if the difference for two out of eight adjacent pixels is greater than t, it implies that the given pixel is in the contour region. Additionally, if more than one out of the three RGB channels correspond to the contour region, this pixel is in the contour region. Finally, x con of size of [H , W ] is obtained. The value of each pixel in x con is given as follows: where t is used as a constant to constrain the range of the contour region, and the contour region x con in Fig.2 is the result of applying t = 10. Fig.3 shows x con generated according to each t. Clearly, the larger the t value, the narrower is the range of the contour region.

2) APPLY CONTOUR REGION IN L p ATTACK
To apply various L p attack methods to the extracted contour region, we can apply them to η i before generating an adversarial image x i = x + η i for each iteration as follows: where η i is the adversarial perturbation calculated for various attack methods such as L ∞ attack or L 2 attack. In Fig.2, the perturbed image x i is the output image of Contour FGSM. We can observe that perturbations have been added in the contour region between the face of the shark (i.e., object of x) and the sea (i.e., background of x). Further, these perturbations are in a high-variance region. Additionally, the output image x is the output image of Contour BIM; its perturbations are more imperceptible than x i .

IV. EXPERIMENT
We performed various experiments to evaluate the ability of the proposed contour attack. First, we measured the attack success rate, amount of distortion, and perturbation size to evaluate the attack ability. Second, we measured the detection rate and similarity of steganalysis feature sets to evaluate the detection evasion rate for steganalysis-based detection. Finally, we measured the similarity metric and visualized images to evaluate their imperceptibility. Besides, we additionally tested with the extended size of the ImageNet dataset to generalize the performances of our approach, and compared our proposed method with prior edge extraction methods to evaluate the effectiveness of the attack ability.

A. SETTING
For our experiments, we used the ImageNet dataset [34] that is widely used in computer vision research. It consists of 1,000 classes, in which each image is three-dimensional data resized to 299 × 299 × 3 size. We attacked 11 images from 100 randomly selected classes in this dataset. As the target classification model, we used the pretrained Inception ResNet V2 model [35] when running L ∞ attacks such as FGSM, Contour FGSM, BIM, and Contour BIM and the pretrained Inception V3 model [36] when running L 2 attacks such as C&W, Contour C&W, PerC C&W, Contour PerC C&W, PerC AL, and Contour PerC AL. The classification accuracies of these classification models were measured to be 95.4% and 88.2%, respectively. The detailed structures of these classification models are described in Table 1. When we attacked the images, each pixel value of the input image x was normalized to [0,1], and when we extracted the contour region x con , it was denormalized to [0,255]. In our experiments, we set the threshold as t = 10.

B. ADVERSARIAL ATTACK ABILITY
For our experiments, we first set the perturbation size as = 0.03 when running the L ∞ attack. Further, we set the one-step perturbation size and iteration number as α = /10 and N = 20, respectively, when running BIM. By contrast, we set the number of binary search steps, maximum number of iterations, step size, and confidence as 9, N = 1, 500, α = 0.001, and k = 0, respectively, when running an L 2 attack like the C&W attack. Finally, TABLE 1. Structures of target classification model. Inception ResNet V2(left) was used to evaluate the L ∞ attacks, and Inception V3(right) was used to evaluate the L 2 attacks. Further details of these classification models can be referred from [35], [36].
we set the step size for minimizing the classification loss, step size for minimizing the perceptual color difference, maximum number of iterations, and confidence as α l = 0.01, α c = 0.05, N = 1, 500, and k = 40, respectively.
The attack success rate Acc attack to evaluate the attack ability is the rate of adversarial example x that satisfies C(x) = C(x ). In addition, the amount of distortion L 0 to evaluate the attack efficiency is the count of perturbed pixels.
We have used three statistical values to measure the size of the generated perturbations. First, we calculated the L 2 and L ∞ distances commonly used to measure the perturbation size in the RGB space. L 2 is the overall perturbation size calculated through the Euclidean distance between the channel of each pixel of x and x , and L ∞ is the maximum distortion in the image, that is, the maximum difference at each index of x and x .
Next, we calculated the C mean distance to measure the perturbation size in terms of the perceptual color difference. It is calculated as follows: where E 00 (x, x ) is calculated using (4). It measures the perturbation size in terms of the human color perception more than L p norm-based values. C mean is the mean of the perceptual color distance, and it is used to numerically compare the imperceptibility.
To compare the abilities in our experiments, we calculated L 0 , L 2 , L ∞ , and C mean ; these are the means of L 0 , L 2 , L ∞ , and C mean for all images, respectively.

C. ADVERSARIAL ROBUSTNESS TO STEGANALYSIS-BASED DETECTION
To evaluate the robustness of the adversarial examples generated through the above processes to steganalysis-based detection, we extracted the SPAM and SRM features for each image. Furthermore, we performed experiments with two machine learning classification models to detect the VOLUME 9, 2021 adversarial examples through the steganalysis features. First, we used linear discriminant analysis (LDA) [37], in which the number of components for dimensionality reduction was set as n component = 1. Next, we used an ensemble classifier [33], in which we set the base learner as the Fisher linear discriminant (FLD) [38], the dimensionality of the feature space on which each base learner operates as d sub = automatic, and the number of base learners as L = automatic.
Further, we performed experiments with 1,200 training data and 1,000 test data for 1,100 original images x and 1,100 adversarial images x . We performed binary classification by labeling the original and adversarial images as 0 and 1, respectively.
Additionally, we used the following formula to measure the detection rate Acc detect of steganalysis-based detection: where X test is the test dataset including both original and adversarial test features, and y test is the label for each test data x t .

D. PERTURBATION IMPERCEPTIBILITY
We used SSIM [39] to evaluate the imperceptibility of the adversarial perturbation generated through our proposed method. SSIM is a statistical value that is used to measure the perceptual quality or similarity in terms of human color perception, and it measures the degree of distortion in structural information. It is being used as an indicator to evaluate the quality of images or the imperceptibility of perturbations in various fields such as image reconstruction [40], [41] and adversarial examples [42], [43]. The SSIM (A, B) between image A and image B is expressed as where l, c, and s are the luminance comparison, contrast comparison, and structure comparison, respectively. They are calculated to utilize the average µ and standard deviation σ of A and B as follows: Table 2 shows the measured attack abilities of each attack method. When evaluating the attack ability of the proposed method, we should first consider the change in performance when perturbations are added only to the contour region. Table 2 shows that L 0 of the contour attack methods was much smaller than that of existing attack methods. In particular, for L ∞ attacks, L 0 was decreased by more than 100,000, that is, the maintainability of the original image was improved. Further, the attrition rate of Acc attack was less than 3% despite the large decrease in L 0 . For Contour FGSM, the decrease in Acc attack was due to the additional constraint, such as the  perturbation region, relative to the existing FGSM. However, Table 3 shows the improvement when the number of iterations was i = 100. In other words, we can supplement the decrease in Acc attack owing to the contour attack through additional iterations. Further, the Acc attack of the contour attack was similar to that of the existing L 2 attack methods. In other words, the proposed contour attack maintains the attack success rate and reduces L 0 . where c 1 , c 2 , and c 3 are constraints. The more similar or different two images are, the closer SSIM is to 1 or 0, respectively.

A. ADVERSARIAL ATTACK ABILITY
As shown in Table 2, L 2 and C mean of L ∞ norm-based contour attacks were reduced. In other words, the perturbation size of the contour attack was smaller; this proves the attack ability of the L ∞ attack for the contour region. Further, L 2 and L ∞ of the L 2 norm-based contour attacks were increased. In other words, the perturbation size in the contour region increased because of the decrease in L 0 . Further, the perturbation size was maintained in terms of human color perception as C mean was maintained.

B. ADVERSARIAL ROBUSTNESS TO STEGANALYSIS-BASED DETECTION
We compared the adversarial robustness to steganalysisbased detection. Table 4 shows the detection rate measured using SPAM features. LDA and EC denote linear discriminant analysis and ensemble classifier, respectively. The result showed that the detection evasion rate of all contour attack methods was improved relative to that of the existing attack methods. For Contour BIM with the EC, the detection rate was 82.1%; this was 17.5% lower than the detection rate of 99.6% of BIM. Further, for Contour PerC AL with the EC, the detection rate was improved by 19.9%. Contour C&W had a detection rate of 51.7%. Binary classification with a classification accuracy of 50% cannot completely classify each class. Therefore, the detection rate of Contour C&W is very meaningful. Fig.4 shows visualization graphs extracted by SPAM for adversarial images generated by BIM and Contour BIM attacks for the original image. When compared with the features of the original image, the distribution of features in the image generated by BIM is very different whereas that in the image generated by Contour BIM is very similar.    Therefore, we can evade the SPAM-based detector through the contour attack. Furthermore, Table 5 shows the cosine similarity of SPAM features measured for all images. The cosine similarity is calculated as follows: It calculates the similarity between vectors a and b. If their directions are more similar or more different, the cosine similarity is closer to 1 or −1, respectively. In this experiment, we measured the cosine similarity of the SPAM feature for the original and the adversarial image. As a result, we can verify that contour attack methods have a cosine similarity of almost 1; therefore, they were better than existing attack methods. Table 6 shows the detection rate measured using SRM features. The detection evasion rate was improved through contour attacks, as in the case of experiments with SPAM features. In particular, with the EC, the detection rate of the Contour C&W attack was 7.1% lower than that of the C&W attack. Table 7 shows the cosine similarity calculated for SRM features in a manner similar to Table 5. The cosine similarities of the contour attack methods were very close to 1, indicating that they were better than existing attack methods. Table 8 shows a comparison of SSIM for each attack method. All contour attack methods showed higher SSIMs (very close to 1,000) than existing attack methods. In other words, the contour attack improves the perceptual quality of adversarial images and increases the similarity between the original and the adversarial image. Additionally, the SSIM of Contour FGSM was 0.2912 higher than that of FGSM; thus, the contour attack affords high imperceptibility through a one-step attack. Fig.5 shows the perturbed images via L ∞ attack methods. We compared the differences with existing attack methods through a very large perturbation size to clearly identify the improved imperceptibility of contour attacks from the viewpoint of human eyes. These images were generated using L ∞ attacks with = 0.2. The perturbed images generated using Contour FGSM and Contour BIM were clearly cleaner than those generated using FGSM and BIM, respectively. Similarly, Fig.6 shows perturbed images generated using L 2 attack methods with step size α = 0.2 and confidence k = 100 for C&W and PerC C&W-based attacks and α l = 0.1, α c = 1, and k = 70 for PerC AL-based attacks. The perturbed images generated using Contour C&W were much cleaner than those generated using C&W. Further, the sea (i.e., background region) in the perturbed image generated using PerC C&W had low quality, whereas that in the perturbed image generated using Contour PerC C&W was improved. Additionally, the perturbations in the left  nostril region of the shark in the perturbed image generated using PerC AL were notably unnatural, whereas those in the perturbed image generated using Contour PerC AL were improved. Table 2 shows that the L 0 of the Contour C&W and Contour PerC C&W attacks was decreased in comparison with that of existing attack methods; however, the difference between them was small. Furthermore, L 2 and L ∞ were increased; for Contour C&W, C mean was increased to 0.001. Fig.7 explains why the imperceptibility of the perturbation was increased. This figure shows the perturbation δ generated by L 2 attack methods. C&W-based attack methods destroy the object in an image by adding relatively small perturbations to a smooth region to induce misclassification. In particular, PerC C&W added many perturbations in the abdomen part of the shark, thereby destroying the smooth region. Our contour attack prevents this problem. In principle, it is relatively hard to induce a misclassification by adding a perturbation to a high-variance region than to a low-variance region. However, doing so is advantageous from the viewpoint of imperceptibility. Overall, this explains why L 2 , L ∞ , and C mean of L 2 norm-based contour attacks were decreased relative to those of existing attack methods and why the imperceptibility was improved.

D. COMPARISON ON EXPANSION DATASET
In this subsection, we discuss the verification of the generality of the result presented in the above section. We used 5 images from 1,000 classes in the ImageNet dataset. In other words, the number of attack images increased over two times when compared with the above experiments. Furthermore, we attacked these images by utilizing only C&W attacks with Contour C&W attacks owing to our restricted computing resource. Table 9 shows the measured attack abilities in our additional experiments. We first evaluated the attack success rate Acc attack . The result showed that Acc attack of C&W attack was slightly decreased from 100% to 99.8%. However, Acc attack of the Contour C&W attack was maintained at 100%. Next, we detected these adversarial images using steganalysis-based detection with LDA. Based on the results of the experiment, we can recognize that the contour attack is able to evade the steganalysis-based detection more effectively than the existing attack method. Especially, even when most detection rates were increased, the contour attack could evade detection better than the existing method.

E. COMPARISON WITH OTHER CONTOUR REGION DETECTION METHODS
We additionally compared with some existing contour region detection methods such as Sobel filter [44], Scharr filter [45], and Canny filter [46]. The Sobel filter was calculated using particular matrices based on the principle of approximate derivative. Furthermore, the Scharr filter can calculate a more accurate derivative than the Sobel filter. These matrices have a kernel of size 3 × 3. We generated a contour region by overlaying the horizontal-based matrix with the verticalbased matrix. The Canny filter is a multi-step algorithm to extract a more adequate edge. First, the noise is refined using a Gaussian filter, and then the edge region is extracted using a Sobel filter. Finally, a threshold is constrained to remove   the non-edge pixels. The visualization of the examples of the contour region using the various contour extraction methods is shown in Fig.8. The difference between them and our contour region is that our approach is based on the SPAM such as calculation by comparing between eight directions for each pixel, and is very simple. Table 10 shows the results of our comparison. We evaluated the performances of L ∞ attacks. Our approach shows lower attack accuracy in Contour FGSM than the Canny filter. However, it can overcome this drawback through the iterative version. On the other hand, the Canny filter-based contour attack shows the best evasion success rate for SPAM-based detection due to the least amount of distortion. Additionally, the Sobel filterbased contour attack can evade the SRM-based detection to a greater extent than the other methods. Consequently, we can conclude that the attacker should determine the most appropriate method to generate a contour region according to each situation.

VI. DISCUSSION
The proposed contour attack has some benefits and limitations. First, we successfully improved the local smoothness of the smooth region. However, the local smoothness between adjacent contour regions may be destroyed. We added perturbations in the contour region without requiring any sophisticated mathematical calculations by simply combining existing attack methods with our method. However, this occasionally resulted in differences in RGB values between adjacent perturbations.
Second, we performed experiments with other datasets such as MNIST [47], which contains 28 × 28 gray-scale images of handwritten digits that are commonly used for training various image classification tasks. These image data are smaller than those of ImageNet. We performed experiments similar to those described above to evaluate the success of the contour attack for small-sized data. Specifically, we performed comparisons for L ∞ attacks with a perturbation size of = 0.3. Fig.9 shows the experimental results. Our contour attacks seem cleaner than existing attack methods. In other words, the contour attack can improve the imperceptibility of adversarial perturbations even for small-sized data. However, in our experiments, the attack ability was decreased too much for small perturbations with < 0.03. This was because the contour region became too cramped and overlapped the original image, as shown in Fig.9. Further mathematical research needs to be conducted to solve this problem.
Third, we discussed a contour region. Recently, the contour region is paid attention in the area of adversarial example. For example, [30] proposed FineFool which generates adversarial example using spatial attention map. Their goal is similar with this paper, i.e., they focus on contour region to reduce the amount of perturbation and to improve the imperceptibility of perturbations. However, the FineFool needs to calculate the channel-spatial attention map and the pixel-spatial attention map so that they should have computation cost more than our approach because our contour attack has only cropped the existing attack method with contour region. Additionally, our approach can apply with variable attack methods.
Next, [48] proposed RCA-SOC to defend the adversarial examples via refocusing on critical areas and strengthening object contours. They used a feature map created based on the shallow layer of classification model to reconstruct the input image. Specifically, they extracted a pixel channel attention map to focus on the critical feature area and extracted pixel plane attention map to strengthen the contour of the object. Additionally, they combined the RCA-SOC with some input modification methods to enhance the performance of defense. We need to take an interest in this method since the focus of their defense is the contour region that is similar with our approach.

VII. CONCLUSION
This study proposed a methodology to improve adversarial attacks by applying existing attack methods to contour regions extracted using a simple algorithm. Several existing attack methods greatly disrupt an image or add easily detectable perturbations in a region. Our experiments indicate that the proposed contour attack can solve these problems. We also demonstrated that the contour region can serve as a new perturbation space for performing effective adversarial attacks. Our proposed method can evade steganalysis-based detectors that defend against various attack methods by using the local smoothness property. Our method demonstrated an up to 19.9% higher detection evasion rate. Furthermore, it could reduce the amount of distortion, maintain the attack ability, and improve the imperceptibility of adversarial perturbations relative to existing attack methods. Nonetheless, our contour attack method has some limitations, as mentioned in Section VI. We will aim to overcome these in future studies.