Understanding and Enhancing the Transferability of Adversarial Examples

TL;DR

This paper investigates factors affecting the transferability of adversarial examples in deep neural networks and proposes a variance-reduced attack method to improve transferability, validated through experiments on CIFAR-10 and ImageNet.

Contribution

It provides a systematic analysis of factors influencing transferability and introduces a novel variance-reduced attack strategy to enhance transferability of adversarial examples.

Findings

Transferability depends on model architecture, capacity, and loss function smoothness.

Variance-reduced attack significantly improves transferability across models.

Experimental results confirm the effectiveness on CIFAR-10 and ImageNet datasets.

Abstract

State-of-the-art deep neural networks are known to be vulnerable to adversarial examples, formed by applying small but malicious perturbations to the original inputs. Moreover, the perturbations can \textit{transfer across models}: adversarial examples generated for a specific model will often mislead other unseen models. Consequently the adversary can leverage it to attack deployed systems without any query, which severely hinder the application of deep learning, especially in the areas where security is crucial. In this work, we systematically study how two classes of factors that might influence the transferability of adversarial examples. One is about model-specific factors, including network architecture, model capacity and test accuracy. The other is the local smoothness of loss function for constructing adversarial examples. Based on these understanding, a simple but effective strategy is proposed to enhance transferability. We call it variance-reduced attack, since it utilizes the variance-reduced gradient to generate adversarial example. The effectiveness is confirmed by a variety of experiments on both CIFAR-10 and ImageNet datasets.