GNP Attack: Transferable Adversarial Examples via Gradient Norm Penalty

TL;DR

This paper introduces a Gradient Norm Penalty method to improve the transferability of adversarial examples, making black-box attacks more effective across diverse models and defenses.

Contribution

It proposes a novel Gradient Norm Penalty approach that enhances adversarial example transferability by encouraging optimization to find flatter local optima.

Findings

GNP significantly improves transferability across multiple models.

GNP can be integrated with other gradient-based attack methods.

The method is effective against advanced defense mechanisms.

Abstract

Adversarial examples (AE) with good transferability enable practical black-box attacks on diverse target models, where insider knowledge about the target models is not required. Previous methods often generate AE with no or very limited transferability; that is, they easily overfit to the particular architecture and feature representation of the source, white-box model and the generated AE barely work for target, black-box models. In this paper, we propose a novel approach to enhance AE transferability using Gradient Norm Penalty (GNP). It drives the loss function optimization procedure to converge to a flat region of local optima in the loss landscape. By attacking 11 state-of-the-art (SOTA) deep learning models and 6 advanced defense methods, we empirically show that GNP is very effective in generating AE with high transferability. We also demonstrate that it is very flexible in that it can be easily integrated with other gradient based methods for stronger transfer-based attacks.