Admix: Enhancing the Transferability of Adversarial Attacks

TL;DR

Admix introduces a novel input transformation attack that combines the original image with randomly sampled images from other categories, significantly improving adversarial transferability across models and defenses.

Contribution

The paper proposes Admix, a new input transformation method that enhances adversarial transferability by mixing the input with other images, outperforming existing methods and combining well with other transformations.

Findings

Admix achieves higher transferability than existing input transformation methods.

It outperforms state-of-the-art methods on nine advanced defense models.

Combining Admix with other transformations further improves attack success rates.

Abstract

Deep neural networks are known to be extremely vulnerable to adversarial examples under white-box setting. Moreover, the malicious adversaries crafted on the surrogate (source) model often exhibit black-box transferability on other models with the same learning task but having different architectures. Recently, various methods are proposed to boost the adversarial transferability, among which the input transformation is one of the most effective approaches. We investigate in this direction and observe that existing transformations are all applied on a single image, which might limit the adversarial transferability. To this end, we propose a new input transformation based attack method called Admix that considers the input image and a set of images randomly sampled from other categories. Instead of directly calculating the gradient on the original input, Admix calculates the gradient on the input image admixed with a small portion of each add-in image while using the original label of the input to craft more transferable adversaries. Empirical evaluations on standard ImageNet dataset demonstrate that Admix could achieve significantly better transferability than existing input transformation methods under both single model setting and ensemble-model setting. By incorporating with existing input transformations, our method could further improve the transferability and outperforms the state-of-the-art combination of input transformations by a clear margin when attacking nine advanced defense models under ensemble-model setting. Code is available at https://github.com/JHL-HUST/Admix.