Perturbing Across the Feature Hierarchy to Improve Standard and Strict Blackbox Attack Transferability

TL;DR

This paper introduces a novel blackbox adversarial attack method that perturbs features across multiple layers of DNNs, achieving higher transfer success rates and robustness even with limited queries.

Contribution

It proposes a flexible multi-layer feature perturbation framework that significantly improves targeted attack transferability across models and datasets.

Findings

Achieves state-of-the-art targeted transfer success rates on ImageNet models.

Outperforms existing blackbox attack methods, especially when source and target models differ.

Demonstrates effectiveness with limited query budgets in blackbox settings.

Abstract

We consider the blackbox transfer-based targeted adversarial attack threat model in the realm of deep neural network (DNN) image classifiers. Rather than focusing on crossing decision boundaries at the output layer of the source model, our method perturbs representations throughout the extracted feature hierarchy to resemble other classes. We design a flexible attack framework that allows for multi-layer perturbations and demonstrates state-of-the-art targeted transfer performance between ImageNet DNNs. We also show the superiority of our feature space methods under a relaxation of the common assumption that the source and target models are trained on the same dataset and label space, in some instances achieving a $10\times$ increase in targeted success rate relative to other blackbox transfer methods. Finally, we analyze why the proposed methods outperform existing attack strategies and show an extension of the method in the case when limited queries to the blackbox model are allowed.