Transferable Adversarial Examples with Bayes Approach

TL;DR

This paper introduces BayAtk, a Bayesian-based method for generating more transferable adversarial examples, significantly improving black-box attack success rates against various models.

Contribution

It proposes a novel Bayesian approach with transferability-promoting priors and an adaptive weighting strategy to enhance adversarial example transferability.

Findings

BayAtk outperforms existing attacks in transferability.

Bayesian priors improve the effectiveness of adversarial examples.

The method is effective against both defended and undefended models.

Abstract

The vulnerability of deep neural networks (DNNs) to black-box adversarial attacks is one of the most heated topics in trustworthy AI. In such attacks, the attackers operate without any insider knowledge of the model, making the cross-model transferability of adversarial examples critical. Despite the potential for adversarial examples to be effective across various models, it has been observed that adversarial examples that are specifically crafted for a specific model often exhibit poor transferability. In this paper, we explore the transferability of adversarial examples via the lens of Bayesian approach. Specifically, we leverage Bayesian approach to probe the transferability and then study what constitutes a transferability-promoting prior. Following this, we design two concrete transferability-promoting priors, along with an adaptive dynamic weighting strategy for instances sampled from these priors. Employing these techniques, we present BayAtk. Extensive experiments illustrate the significant effectiveness of BayAtk in crafting more transferable adversarial examples against both undefended and defended black-box models compared to existing state-of-the-art attacks.