Regional Homogeneity: Towards Learning Transferable Universal Adversarial Perturbations Against Defenses

TL;DR

This paper introduces a method to generate universal adversarial perturbations that effectively fool multiple defense models by leveraging regional homogeneity, significantly improving transferability across models and tasks.

Contribution

It proposes a gradient transformer module to produce regionally homogeneous perturbations, enhancing transferability against defense models without explicit universality training.

Findings

Outperforms prior attack algorithms by 14% on average.

Achieves cross-model transferability of adversarial examples.

Transfers effectively across different vision tasks like segmentation and detection.

Abstract

This paper focuses on learning transferable adversarial examples specifically against defense models (models to defense adversarial attacks). In particular, we show that a simple universal perturbation can fool a series of state-of-the-art defenses. Adversarial examples generated by existing attacks are generally hard to transfer to defense models. We observe the property of regional homogeneity in adversarial perturbations and suggest that the defenses are less robust to regionally homogeneous perturbations. Therefore, we propose an effective transforming paradigm and a customized gradient transformer module to transform existing perturbations into regionally homogeneous ones. Without explicitly forcing the perturbations to be universal, we observe that a well-trained gradient transformer module tends to output input-independent gradients (hence universal) benefiting from the under-fitting phenomenon. Thorough experiments demonstrate that our work significantly outperforms the prior art attacking algorithms (either image-dependent or universal ones) by an average improvement of 14.0% when attacking 9 defenses in the transfer-based attack setting. In addition to the cross-model transferability, we also verify that regionally homogeneous perturbations can well transfer across different vision tasks (attacking with the semantic segmentation task and testing on the object detection task). The code is available here: https://github.com/LiYingwei/Regional-Homogeneity.