Boosting Adversarial Transferability of MLP-Mixer

TL;DR

This paper introduces Maxwell's demon Attack (MA), a novel adversarial attack method that significantly enhances transferability of adversarial examples against MLP-Mixer models, outperforming existing methods and addressing a gap in MLP-Mixer security research.

Contribution

The paper presents the first study on adversarial transferability of MLP-Mixer and proposes MA, which improves transferability by up to 38%, surpassing existing attack methods.

Findings

MA improves transferability by up to 38% on ResMLP.

Adversarial examples on MLP-Mixer can outperform DenseNet against CNNs.

First work to study adversarial transferability of MLP-Mixer.

Abstract

The security of models based on new architectures such as MLP-Mixer and ViTs needs to be studied urgently. However, most of the current researches are mainly aimed at the adversarial attack against ViTs, and there is still relatively little adversarial work on MLP-mixer. We propose an adversarial attack method against MLP-Mixer called Maxwell's demon Attack (MA). MA breaks the channel-mixing and token-mixing mechanism of MLP-Mixer by controlling the part input of MLP-Mixer's each Mixer layer, and disturbs MLP-Mixer to obtain the main information of images. Our method can mask the part input of the Mixer layer, avoid overfitting of the adversarial examples to the source model, and improve the transferability of cross-architecture. Extensive experimental evaluation demonstrates the effectiveness and superior performance of the proposed MA. Our method can be easily combined with existing methods and can improve the transferability by up to 38.0% on MLP-based ResMLP. Adversarial examples produced by our method on MLP-Mixer are able to exceed the transferability of adversarial examples produced using DenseNet against CNNs. To the best of our knowledge, we are the first work to study adversarial transferability of MLP-Mixer.