Improving the Transferability of Adversarial Samples by Path-Augmented Method

TL;DR

This paper introduces the Path-Augmented Method (PAM) to improve transferability of adversarial samples by intelligently selecting augmentation paths, resulting in higher attack success rates against neural networks.

Contribution

The paper proposes PAM, which constructs and optimizes augmentation paths using a greedy search and semantics prediction to enhance adversarial transferability.

Findings

PAM achieves over 4.8% higher attack success rates on average.

Constructing and optimizing augmentation paths improves transferability.

Semantics predictor effectively constrains augmentation paths.

Abstract

Deep neural networks have achieved unprecedented success on diverse vision tasks. However, they are vulnerable to adversarial noise that is imperceptible to humans. This phenomenon negatively affects their deployment in real-world scenarios, especially security-related ones. To evaluate the robustness of a target model in practice, transfer-based attacks craft adversarial samples with a local model and have attracted increasing attention from researchers due to their high efficiency. The state-of-the-art transfer-based attacks are generally based on data augmentation, which typically augments multiple training images from a linear path when learning adversarial samples. However, such methods selected the image augmentation path heuristically and may augment images that are semantics-inconsistent with the target images, which harms the transferability of the generated adversarial samples. To overcome the pitfall, we propose the Path-Augmented Method (PAM). Specifically, PAM first constructs a candidate augmentation path pool. It then settles the employed augmentation paths during adversarial sample generation with greedy search. Furthermore, to avoid augmenting semantics-inconsistent images, we train a Semantics Predictor (SP) to constrain the length of the augmentation path. Extensive experiments confirm that PAM can achieve an improvement of over 4.8% on average compared with the state-of-the-art baselines in terms of the attack success rates.