Defense-guided Transferable Adversarial Attacks

TL;DR

This paper introduces a defense-guided transferable adversarial attack framework that significantly improves attack transferability across models by leveraging a max-min input transformation strategy, outperforming existing methods.

Contribution

The paper proposes a novel max-min framework inspired by input transformations to enhance the transferability of adversarial attacks in black-box scenarios.

Findings

Achieves 58.38% average attack success rate, surpassing state-of-the-art methods.

Demonstrates significant transferability improvements on Imagenet.

Provides insights into the mechanisms behind transferability enhancement.

Abstract

Though deep neural networks perform challenging tasks excellently, they are susceptible to adversarial examples, which mislead classifiers by applying human-imperceptible perturbations on clean inputs. Under the query-free black-box scenario, adversarial examples are hard to transfer to unknown models, and several methods have been proposed with the low transferability. To settle such issue, we design a max-min framework inspired by input transformations, which are benificial to both the adversarial attack and defense. Explicitly, we decrease loss values with inputs' affline transformations as a defense in the minimum procedure, and then increase loss values with the momentum iterative algorithm as an attack in the maximum procedure. To further promote transferability, we determine transformed values with the max-min theory. Extensive experiments on Imagenet demonstrate that our defense-guided transferable attacks achieve impressive increase on transferability. Experimentally, we show that our ASR of adversarial attack reaches to 58.38% on average, which outperforms the state-of-the-art method by 12.1% on the normally trained models and by 11.13% on the adversarially trained models. Additionally, we provide elucidative insights on the improvement of transferability, and our method is expected to be a benchmark for assessing the robustness of deep models.