Improving Adversarial Transferability with Gradient Refining

TL;DR

This paper introduces Gradient Refining, a novel technique to enhance the transferability of adversarial examples across models, significantly improving black-box attack success rates on ImageNet.

Contribution

Gradient Refining corrects useless gradients in input diversity-based attacks, boosting transferability and outperforming existing methods in black-box adversarial attacks.

Findings

Achieves 82.07% transfer success rate on ImageNet.

Outperforms state-of-the-art methods by 6.0% on average.

Secured second place in CVPR 2021 adversarial attack competition.

Abstract

Deep neural networks are vulnerable to adversarial examples, which are crafted by adding human-imperceptible perturbations to original images. Most existing adversarial attack methods achieve nearly 100% attack success rates under the white-box setting, but only achieve relatively low attack success rates under the black-box setting. To improve the transferability of adversarial examples for the black-box setting, several methods have been proposed, e.g., input diversity, translation-invariant attack, and momentum-based attack. In this paper, we propose a method named Gradient Refining, which can further improve the adversarial transferability by correcting useless gradients introduced by input diversity through multiple transformations. Our method is generally applicable to many gradient-based attack methods combined with input diversity. Extensive experiments are conducted on the ImageNet dataset and our method can achieve an average transfer success rate of 82.07% for three different models under single-model setting, which outperforms the other state-of-the-art methods by a large margin of 6.0% averagely. And we have applied the proposed method to the competition CVPR 2021 Unrestricted Adversarial Attacks on ImageNet organized by Alibaba and won the second place in attack success rates among 1558 teams.