Skip Connections Matter: On the Transferability of Adversarial Examples Generated with ResNets

TL;DR

This paper reveals that skip connections in neural networks like ResNet facilitate the creation of highly transferable adversarial examples, exposing a security vulnerability and proposing a new attack method called SGM.

Contribution

The paper introduces the Skip Gradient Method (SGM), a novel technique leveraging skip connections to craft highly transferable adversarial examples, highlighting a new architectural vulnerability.

Findings

SGM significantly improves attack transferability across various DNN architectures.

Skip connections enable easier gradient-based attack generation, increasing security risks.

SGM can be combined with black-box attacks for enhanced effectiveness.

Abstract

Skip connections are an essential component of current state-of-the-art deep neural networks (DNNs) such as ResNet, WideResNet, DenseNet, and ResNeXt. Despite their huge success in building deeper and more powerful DNNs, we identify a surprising security weakness of skip connections in this paper. Use of skip connections allows easier generation of highly transferable adversarial examples. Specifically, in ResNet-like (with skip connections) neural networks, gradients can backpropagate through either skip connections or residual modules. We find that using more gradients from the skip connections rather than the residual modules according to a decay factor, allows one to craft adversarial examples with high transferability. Our method is termed Skip Gradient Method(SGM). We conduct comprehensive transfer attacks against state-of-the-art DNNs including ResNets, DenseNets, Inceptions, Inception-ResNet, Squeeze-and-Excitation Network (SENet) and robustly trained DNNs. We show that employing SGM on the gradient flow can greatly improve the transferability of crafted attacks in almost all cases. Furthermore, SGM can be easily combined with existing black-box attack techniques, and obtain high improvements over state-of-the-art transferability methods. Our findings not only motivate new research into the architectural vulnerability of DNNs, but also open up further challenges for the design of secure DNN architectures.