Efficient and Transferable Adversarial Examples from Bayesian Neural Networks

TL;DR

This paper introduces a Bayesian neural network-based method for creating more effective and transferable adversarial examples, significantly improving attack success rates while reducing computational costs.

Contribution

It proposes a novel Bayesian approach to surrogate model training that enhances transferability of adversarial examples, outperforming existing ensemble-based methods.

Findings

Achieves up to 83.2 percentage points increase in attack success rates.

Reaches 94% success rate on ImageNet with reduced computation.

Surpasses test-time techniques in transferability by 87.5%.

Abstract

An established way to improve the transferability of black-box evasion attacks is to craft the adversarial examples on an ensemble-based surrogate to increase diversity. We argue that transferability is fundamentally related to uncertainty. Based on a state-of-the-art Bayesian Deep Learning technique, we propose a new method to efficiently build a surrogate by sampling approximately from the posterior distribution of neural network weights, which represents the belief about the value of each parameter. Our extensive experiments on ImageNet, CIFAR-10 and MNIST show that our approach improves the success rates of four state-of-the-art attacks significantly (up to 83.2 percentage points), in both intra-architecture and inter-architecture transferability. On ImageNet, our approach can reach 94% of success rate while reducing training computations from 11.6 to 2.4 exaflops, compared to an ensemble of independently trained DNNs. Our vanilla surrogate achieves 87.5% of the time higher transferability than three test-time techniques designed for this purpose. Our work demonstrates that the way to train a surrogate has been overlooked, although it is an important element of transfer-based attacks. We are, therefore, the first to review the effectiveness of several training methods in increasing transferability. We provide new directions to better understand the transferability phenomenon and offer a simple but strong baseline for future work.