Diversity can be Transferred: Output Diversification for White- and Black-box Attacks

TL;DR

This paper introduces Output Diversified Sampling (ODS), a novel method to enhance adversarial attack efficiency by maximizing output diversity, applicable to both white-box and black-box attacks, leading to fewer queries and improved success rates.

Contribution

The paper proposes ODS, a transferable, gradient-based sampling strategy that improves adversarial attack effectiveness across different attack settings.

Findings

ODS reduces black-box attack queries by half on ImageNet.

ODS significantly improves the success rate of existing attacks.

Output diversity transferability enhances attack efficiency.

Abstract

Adversarial attacks often involve random perturbations of the inputs drawn from uniform or Gaussian distributions, e.g., to initialize optimization-based white-box attacks or generate update directions in black-box attacks. These simple perturbations, however, could be sub-optimal as they are agnostic to the model being attacked. To improve the efficiency of these attacks, we propose Output Diversified Sampling (ODS), a novel sampling strategy that attempts to maximize diversity in the target model's outputs among the generated samples. While ODS is a gradient-based strategy, the diversity offered by ODS is transferable and can be helpful for both white-box and black-box attacks via surrogate models. Empirically, we demonstrate that ODS significantly improves the performance of existing white-box and black-box attacks. In particular, ODS reduces the number of queries needed for state-of-the-art black-box attacks on ImageNet by a factor of two.