Guidance Through Surrogate: Towards a Generic Diagnostic Attack

TL;DR

This paper introduces G-PGA, a guided attack method that uses surrogate models to improve adversarial attack efficiency and diagnose gradient masking in defenses, advancing robustness evaluation techniques.

Contribution

The paper proposes G-PGA, a novel guided attack that enhances attack success and diagnostic capabilities against gradient masking defenses, without requiring extensive search or restarts.

Findings

G-PGA improves attack success rate and efficiency.

G-PGA effectively diagnoses gradient masking in defenses.

The method can be combined with ensemble attacks for better robustness evaluation.

Abstract

Adversarial training is an effective approach to make deep neural networks robust against adversarial attacks. Recently, different adversarial training defenses are proposed that not only maintain a high clean accuracy but also show significant robustness against popular and well studied adversarial attacks such as PGD. High adversarial robustness can also arise if an attack fails to find adversarial gradient directions, a phenomenon known as `gradient masking'. In this work, we analyse the effect of label smoothing on adversarial training as one of the potential causes of gradient masking. We then develop a guided mechanism to avoid local minima during attack optimization, leading to a novel attack dubbed Guided Projected Gradient Attack (G-PGA). Our attack approach is based on a `match and deceive' loss that finds optimal adversarial directions through guidance from a surrogate model. Our modified attack does not require random restarts, large number of attack iterations or search for an optimal step-size. Furthermore, our proposed G-PGA is generic, thus it can be combined with an ensemble attack strategy as we demonstrate for the case of Auto-Attack, leading to efficiency and convergence speed improvements. More than an effective attack, G-PGA can be used as a diagnostic tool to reveal elusive robustness due to gradient masking in adversarial defenses.