Diverse Generative Perturbations on Attention Space for Transferable Adversarial Attacks

TL;DR

This paper introduces ADA, a stochastic adversarial attack method that perturbs attention features diversely to enhance transferability across models, outperforming existing techniques.

Contribution

The paper proposes a novel stochastic perturbation approach disrupting attention features to improve transferability of adversarial attacks.

Findings

ADA outperforms state-of-the-art transferability methods.

Stochastic perturbations explore the loss surface more effectively.

Disrupting attention features enhances attack transferability.

Abstract

Adversarial attacks with improved transferability - the ability of an adversarial example crafted on a known model to also fool unknown models - have recently received much attention due to their practicality. Nevertheless, existing transferable attacks craft perturbations in a deterministic manner and often fail to fully explore the loss surface, thus falling into a poor local optimum and suffering from low transferability. To solve this problem, we propose Attentive-Diversity Attack (ADA), which disrupts diverse salient features in a stochastic manner to improve transferability. Primarily, we perturb the image attention to disrupt universal features shared by different models. Then, to effectively avoid poor local optima, we disrupt these features in a stochastic manner and explore the search space of transferable perturbations more exhaustively. More specifically, we use a generator to produce adversarial perturbations that each disturbs features in different ways depending on an input latent code. Extensive experimental evaluations demonstrate the effectiveness of our method, outperforming the transferability of state-of-the-art methods. Codes are available at https://github.com/wkim97/ADA.