Improving the Robustness of Adversarial Attacks Using an Affine-Invariant Gradient Estimator

TL;DR

This paper introduces an affine-invariant gradient estimator to enhance the robustness and transferability of adversarial attacks against neural networks, especially under affine transformations, improving attack effectiveness in practical scenarios.

Contribution

The paper proposes a novel affine-invariant gradient estimator that can be integrated with existing attack methods to generate more robust adversarial examples under affine transformations.

Findings

Significantly improves affine invariance of adversarial examples

Enhances transferability of adversarial attacks

Effective under physical conditions

Abstract

As designers of artificial intelligence try to outwit hackers, both sides continue to hone in on AI's inherent vulnerabilities. Designed and trained from certain statistical distributions of data, AI's deep neural networks (DNNs) remain vulnerable to deceptive inputs that violate a DNN's statistical, predictive assumptions. Before being fed into a neural network, however, most existing adversarial examples cannot maintain malicious functionality when applied to an affine transformation. For practical purposes, maintaining that malicious functionality serves as an important measure of the robustness of adversarial attacks. To help DNNs learn to defend themselves more thoroughly against attacks, we propose an affine-invariant adversarial attack, which can consistently produce more robust adversarial examples over affine transformations. For efficiency, we propose to disentangle current affine-transformation strategies from the Euclidean geometry coordinate plane with its geometric translations, rotations and dilations; we reformulate the latter two in polar coordinates. Afterwards, we construct an affine-invariant gradient estimator by convolving the gradient at the original image with derived kernels, which can be integrated with any gradient-based attack methods. Extensive experiments on ImageNet, including some experiments under physical condition, demonstrate that our method can significantly improve the affine invariance of adversarial examples and, as a byproduct, improve the transferability of adversarial examples, compared with alternative state-of-the-art methods.