Improving Transferability of Adversarial Examples via Bayesian Attacks

TL;DR

This paper enhances the transferability of adversarial examples by applying Bayesian methods to both model inputs and parameters, leading to state-of-the-art attack success rates on standard datasets.

Contribution

It introduces a Bayesian framework for adversarial attacks that jointly diversifies model inputs and parameters, surpassing existing methods in transferability.

Findings

Achieves higher transfer success rates on ImageNet and CIFAR-10.

Outperforms all state-of-the-art transfer-based attack methods.

Demonstrates the effectiveness of Bayesian approaches in adversarial attacks.

Abstract

The transferability of adversarial examples allows for the attack on unknown deep neural networks (DNNs), posing a serious threat to many applications and attracting great attention. In this paper, we improve the transferability of adversarial examples by incorporating the Bayesian formulation into both the model parameters and model input, enabling their joint diversification. We demonstrate that combination of Bayesian formulations for both the model input and model parameters yields significant improvements in transferability. By introducing advanced approximations of the posterior distribution over the model input, adversarial transferability achieves further enhancement, surpassing all state-of-the-arts when attacking without model fine-tuning. Additionally, we propose a principled approach to fine-tune model parameters within this Bayesian framework. Extensive experiments demonstrate that our method achieves a new state-of-the-art in transfer-based attacks, significantly improving the average success rate on ImageNet and CIFAR-10. Code at: https://github.com/qizhangli/MoreBayesian-jrnl.