Generating Adversarial Examples with Controllable Non-transferability

TL;DR

This paper introduces novel methods for generating adversarial examples with controllable non-transferability, enabling targeted attacks on specific models while avoiding others, thus enhancing attack precision and security analysis.

Contribution

It proposes two new attack techniques—Reversed Loss Function Ensemble and Transferability Classification—for crafting non-transferable adversarial examples in various threat models.

Findings

Effective in white-box and gray-box settings

Guided generation of non-transferable adversarial examples

Demonstrates efficiency and effectiveness of methods

Abstract

Adversarial attacks against Deep Neural Networks have been widely studied. One significant feature that makes such attacks particularly powerful is transferability, where the adversarial examples generated from one model can be effective against other similar models as well. A large number of works have been done to increase the transferability. However, how to decrease the transferability and craft malicious samples only for specific target models are not explored yet. In this paper, we design novel attack methodologies to generate adversarial examples with controllable non-transferability. With these methods, an adversary can efficiently produce precise adversarial examples to attack a set of target models he desires, while keeping benign to other models. The first method is Reversed Loss Function Ensemble, where the adversary can craft qualified examples from the gradients of a reversed loss function. This approach is effective for the white-box and gray-box settings. The second method is Transferability Classification: the adversary trains a transferability-aware classifier from the perturbations of adversarial examples. This classifier further provides the guidance for the generation of non-transferable adversarial examples. This approach can be applied to the black-box scenario. Evaluation results demonstrate the effectiveness and efficiency of our proposed methods. This work opens up a new route for generating adversarial examples with new features and applications.