Cross-Domain Transferability of Adversarial Perturbations

TL;DR

This paper demonstrates the existence of domain-invariant adversarial examples that can transfer across different datasets and models, and proposes a generative framework to craft highly transferable attacks with high success rates.

Contribution

It introduces the first framework for creating domain-invariant adversarial perturbations that transfer across diverse datasets and models, outperforming existing methods.

Findings

Achieves up to 99% success rate in fooling classifiers across domains.

Outperforms traditional instance-specific attacks in transferability.

Sets new state-of-the-art transfer attack success rates.

Abstract

Adversarial examples reveal the blind spots of deep neural networks (DNNs) and represent a major concern for security-critical applications. The transferability of adversarial examples makes real-world attacks possible in black-box settings, where the attacker is forbidden to access the internal parameters of the model. The underlying assumption in most adversary generation methods, whether learning an instance-specific or an instance-agnostic perturbation, is the direct or indirect reliance on the original domain-specific data distribution. In this work, for the first time, we demonstrate the existence of domain-invariant adversaries, thereby showing common adversarial space among different datasets and models. To this end, we propose a framework capable of launching highly transferable attacks that crafts adversarial patterns to mislead networks trained on wholly different domains. For instance, an adversarial function learned on Paintings, Cartoons or Medical images can successfully perturb ImageNet samples to fool the classifier, with success rates as high as $\sim$99\% ($\ell_{\infty} \le 10$). The core of our proposed adversarial function is a generative network that is trained using a relativistic supervisory signal that enables domain-invariant perturbations. Our approach sets the new state-of-the-art for fooling rates, both under the white-box and black-box scenarios. Furthermore, despite being an instance-agnostic perturbation function, our attack outperforms the conventionally much stronger instance-specific attack methods.