Making Adversarial Examples More Transferable and Indistinguishable

TL;DR

This paper introduces AI-FGTM, a new method for generating adversarial examples that are both highly transferable and indistinguishable, improving attack success rates and reducing perturbation.

Contribution

The paper proposes AI-FGTM, a novel adversarial attack method that enhances transferability and indistinguishability without extra computational cost.

Findings

Achieves an average attack success rate of 89.3% on six defense models.

Reduces mean perturbation by nearly 20%.

Outperforms state-of-the-art gradient-based attacks.

Abstract

Fast gradient sign attack series are popular methods that are used to generate adversarial examples. However, most of the approaches based on fast gradient sign attack series cannot balance the indistinguishability and transferability due to the limitations of the basic sign structure. To address this problem, we propose a method, called Adam Iterative Fast Gradient Tanh Method (AI-FGTM), to generate indistinguishable adversarial examples with high transferability. Besides, smaller kernels and dynamic step size are also applied to generate adversarial examples for further increasing the attack success rates. Extensive experiments on an ImageNet-compatible dataset show that our method generates more indistinguishable adversarial examples and achieves higher attack success rates without extra running time and resource. Our best transfer-based attack NI-TI-DI-AITM can fool six classic defense models with an average success rate of 89.3% and three advanced defense models with an average success rate of 82.7%, which are higher than the state-of-the-art gradient-based attacks. Additionally, our method can also reduce nearly 20% mean perturbation. We expect that our method will serve as a new baseline for generating adversarial examples with better transferability and indistinguishability.