Improving the Transferability of Adversarial Examples with Resized-Diverse-Inputs, Diversity-Ensemble and Region Fitting

TL;DR

This paper presents a novel three-stage pipeline combining resized-diverse-inputs, diversity-ensemble, and region fitting to generate highly transferable adversarial examples, significantly improving attack success rates against black-box defenses.

Contribution

The authors introduce a new three-stage attack pipeline that exploits internal relationships between attacks, enhancing transferability without extra runtime, and outperforming state-of-the-art methods.

Findings

Achieves 93% success rate against six black-box defenses

Integrates seamlessly with existing attacks without additional runtime

Provides insights into relationships between attack methods

Abstract

We introduce a three stage pipeline: resized-diverse-inputs (RDIM), diversity-ensemble (DEM) and region fitting, that work together to generate transferable adversarial examples. We first explore the internal relationship between existing attacks, and propose RDIM that is capable of exploiting this relationship. Then we propose DEM, the multi-scale version of RDIM, to generate multi-scale gradients. After the first two steps we transform value fitting into region fitting across iterations. RDIM and region fitting do not require extra running time and these three steps can be well integrated into other attacks. Our best attack fools six black-box defenses with a 93% success rate on average, which is higher than the state-of-the-art gradient-based attacks. Besides, we rethink existing attacks rather than simply stacking new methods on the old ones to get better performance. It is expected that our findings will serve as the beginning of exploring the internal relationship between attack methods. Codes are available at https://github.com/278287847/DEM.