Improving Adversarial Transferability via Model Alignment

TL;DR

This paper proposes a model alignment technique that fine-tunes a source neural network to better mimic a witness model, thereby enhancing the transferability of adversarial attacks across different models.

Contribution

The paper introduces a novel model alignment method that improves adversarial transferability by minimizing divergence between source and witness model predictions.

Findings

Aligned models produce more transferable adversarial perturbations.

Model alignment significantly increases attack success rates across architectures.

Geometric analysis reveals changes in the loss landscape due to alignment.

Abstract

Neural networks are susceptible to adversarial perturbations that are transferable across different models. In this paper, we introduce a novel model alignment technique aimed at improving a given source model's ability in generating transferable adversarial perturbations. During the alignment process, the parameters of the source model are fine-tuned to minimize an alignment loss. This loss measures the divergence in the predictions between the source model and another, independently trained model, referred to as the witness model. To understand the effect of model alignment, we conduct a geometric analysis of the resulting changes in the loss landscape. Extensive experiments on the ImageNet dataset, using a variety of model architectures, demonstrate that perturbations generated from aligned source models exhibit significantly higher transferability than those from the original source model.