Attacking Transformers with Feature Diversity Adversarial Perturbation

TL;DR

This paper introduces a label-free white-box attack method targeting Vision Transformers, leveraging the feature collapse phenomenon to generate highly transferable adversarial perturbations across various models and modalities.

Contribution

It proposes the feature diversity attacker that exploits feature collapse in ViTs, achieving superior transferability without relying on labels or gradient-based labels.

Findings

High transferability of attacks across models and modalities

Effective attack performance on various ViT variants, CNNs, and MLPs

Utilizes feature collapse phenomenon to enhance attack success

Abstract

Understanding the mechanisms behind Vision Transformer (ViT), particularly its vulnerability to adversarial perturba tions, is crucial for addressing challenges in its real-world applications. Existing ViT adversarial attackers rely on la bels to calculate the gradient for perturbation, and exhibit low transferability to other structures and tasks. In this paper, we present a label-free white-box attack approach for ViT-based models that exhibits strong transferability to various black box models, including most ViT variants, CNNs, and MLPs, even for models developed for other modalities. Our inspira tion comes from the feature collapse phenomenon in ViTs, where the critical attention mechanism overly depends on the low-frequency component of features, causing the features in middle-to-end layers to become increasingly similar and eventually collapse. We propose the feature diversity attacker to naturally accelerate this process and achieve remarkable performance and transferability.