Boosting Adversarial Transferability through Enhanced Momentum

TL;DR

This paper introduces an enhanced momentum iterative gradient method that improves the transferability of adversarial examples across models, significantly outperforming previous methods on ImageNet and against defense models.

Contribution

The paper proposes a novel momentum-based attack method that accumulates average gradients to stabilize updates and escape local maxima, boosting transferability.

Findings

Improves transferability by 11.1% on average on ImageNet.

Further enhances transferability with input transformations.

Achieves at least 7.8% improvement against defense models.

Abstract

Deep learning models are known to be vulnerable to adversarial examples crafted by adding human-imperceptible perturbations on benign images. Many existing adversarial attack methods have achieved great white-box attack performance, but exhibit low transferability when attacking other models. Various momentum iterative gradient-based methods are shown to be effective to improve the adversarial transferability. In what follows, we propose an enhanced momentum iterative gradient-based method to further enhance the adversarial transferability. Specifically, instead of only accumulating the gradient during the iterative process, we additionally accumulate the average gradient of the data points sampled in the gradient direction of the previous iteration so as to stabilize the update direction and escape from poor local maxima. Extensive experiments on the standard ImageNet dataset demonstrate that our method could improve the adversarial transferability of momentum-based methods by a large margin of 11.1% on average. Moreover, by incorporating with various input transformation methods, the adversarial transferability could be further improved significantly. We also attack several extra advanced defense models under the ensemble-model setting, and the enhancements are remarkable with at least 7.8% on average.