Improving the Transferability of Targeted Adversarial Examples through Object-Based Diverse Input

TL;DR

This paper introduces the object-based diverse input (ODI) method to improve transferability of targeted adversarial examples by rendering adversarial images on 3D objects, significantly increasing attack success rates across datasets.

Contribution

The paper proposes a novel ODI approach that enhances adversarial transferability by leveraging 3D object rendering and input diversification, outperforming existing augmentation techniques.

Findings

Boosts targeted attack success rate from 28.3% to 47.0% on ImageNet.

Effective in face verification adversarial examples.

Demonstrates superior transferability over prior methods.

Abstract

The transferability of adversarial examples allows the deception on black-box models, and transfer-based targeted attacks have attracted a lot of interest due to their practical applicability. To maximize the transfer success rate, adversarial examples should avoid overfitting to the source model, and image augmentation is one of the primary approaches for this. However, prior works utilize simple image transformations such as resizing, which limits input diversity. To tackle this limitation, we propose the object-based diverse input (ODI) method that draws an adversarial image on a 3D object and induces the rendered image to be classified as the target class. Our motivation comes from the humans' superior perception of an image printed on a 3D object. If the image is clear enough, humans can recognize the image content in a variety of viewing conditions. Likewise, if an adversarial example looks like the target class to the model, the model should also classify the rendered image of the 3D object as the target class. The ODI method effectively diversifies the input by leveraging an ensemble of multiple source objects and randomizing viewing conditions. In our experimental results on the ImageNet-Compatible dataset, this method boosts the average targeted attack success rate from 28.3% to 47.0% compared to the state-of-the-art methods. We also demonstrate the applicability of the ODI method to adversarial examples on the face verification task and its superior performance improvement. Our code is available at https://github.com/dreamflake/ODI.