Staircase Sign Method for Boosting Adversarial Attacks

TL;DR

This paper introduces the Staircase Sign Method (S$^2$M), a novel gradient manipulation technique that enhances the transferability and effectiveness of adversarial attacks without significant computational cost.

Contribution

The paper proposes S$^2$M, which segments gradient signs into multiple levels with staircase weights, improving adversarial attack transferability over traditional Sign Method.

Findings

Significantly improves transferability of adversarial examples.

Effective in both white-box and black-box attack scenarios.

Achieves an average transferability increase of 5.1% and 12.8% on ImageNet.

Abstract

Crafting adversarial examples for the transfer-based attack is challenging and remains a research hot spot. Currently, such attack methods are based on the hypothesis that the substitute model and the victim model learn similar decision boundaries, and they conventionally apply Sign Method (SM) to manipulate the gradient as the resultant perturbation. Although SM is efficient, it only extracts the sign of gradient units but ignores their value difference, which inevitably leads to a deviation. Therefore, we propose a novel Staircase Sign Method (S$^2$M) to alleviate this issue, thus boosting attacks. Technically, our method heuristically divides the gradient sign into several segments according to the values of the gradient units, and then assigns each segment with a staircase weight for better crafting adversarial perturbation. As a result, our adversarial examples perform better in both white-box and black-box manner without being more visible. Since S$^2$M just manipulates the resultant gradient, our method can be generally integrated into the family of FGSM algorithms, and the computational overhead is negligible. Extensive experiments on the ImageNet dataset demonstrate the effectiveness of our proposed methods, which significantly improve the transferability (i.e., on average, \textbf{5.1\%} for normally trained models and \textbf{12.8\%} for adversarially trained defenses). Our code is available at \url{https://github.com/qilong-zhang/Staircase-sign-method}.