Learning to Transform Dynamically for Better Adversarial Transferability

TL;DR

This paper introduces Learning to Transform (L2T), a reinforcement learning-based method that optimizes input transformations to generate more transferable adversarial examples, significantly improving cross-model attack success rates.

Contribution

L2T is a novel approach that dynamically selects optimal transformation combinations to enhance adversarial transferability, surpassing existing input augmentation methods.

Findings

L2T outperforms current methods on ImageNet dataset.

L2T demonstrates effectiveness against Google Vision and GPT-4V.

Transformations optimized by L2T improve attack success rates.

Abstract

Adversarial examples, crafted by adding perturbations imperceptible to humans, can deceive neural networks. Recent studies identify the adversarial transferability across various models, \textit{i.e.}, the cross-model attack ability of adversarial samples. To enhance such adversarial transferability, existing input transformation-based methods diversify input data with transformation augmentation. However, their effectiveness is limited by the finite number of available transformations. In our study, we introduce a novel approach named Learning to Transform (L2T). L2T increases the diversity of transformed images by selecting the optimal combination of operations from a pool of candidates, consequently improving adversarial transferability. We conceptualize the selection of optimal transformation combinations as a trajectory optimization problem and employ a reinforcement learning strategy to effectively solve the problem. Comprehensive experiments on the ImageNet dataset, as well as practical tests with Google Vision and GPT-4V, reveal that L2T surpasses current methodologies in enhancing adversarial transferability, thereby confirming its effectiveness and practical significance. The code is available at https://github.com/RongyiZhu/L2T.