Sampling-based Fast Gradient Rescaling Method for Highly Transferable Adversarial Attacks

TL;DR

This paper introduces a sampling-based gradient rescaling method that enhances the transferability of adversarial examples in black-box attacks by replacing the sign function with data rescaling and stabilizing the gradient updates.

Contribution

The paper proposes a novel Sampling-based Fast Gradient Rescaling Method (S-FGRM) that improves adversarial transferability without additional computational cost and can be integrated with existing gradient-based attacks.

Findings

S-FGRM significantly boosts attack transferability on ImageNet.

Outperforms state-of-the-art baseline methods.

Applicable to various gradient-based attack frameworks.

Abstract

Deep neural networks have shown to be very vulnerable to adversarial examples crafted by adding human-imperceptible perturbations to benign inputs. After achieving impressive attack success rates in the white-box setting, more focus is shifted to black-box attacks. In either case, the common gradient-based approaches generally use the $sign$ function to generate perturbations at the end of the process. However, only a few works pay attention to the limitation of the $sign$ function. Deviation between the original gradient and the generated noises may lead to inaccurate gradient update estimation and suboptimal solutions for adversarial transferability, which is crucial for black-box attacks. To address this issue, we propose a Sampling-based Fast Gradient Rescaling Method (S-FGRM) to improve the transferability of the crafted adversarial examples. Specifically, we use data rescaling to substitute the inefficient $sign$ function in gradient-based attacks without extra computational cost. We also propose a Depth First Sampling method to eliminate the fluctuation of rescaling and stabilize the gradient update. Our method can be used in any gradient-based optimizations and is extensible to be integrated with various input transformation or ensemble methods for further improving the adversarial transferability. Extensive experiments on the standard ImageNet dataset show that our S-FGRM could significantly boost the transferability of gradient-based attacks and outperform the state-of-the-art baselines.