Enhancing Adversarial Transferability with Adversarial Weight Tuning

TL;DR

This paper introduces Adversarial Weight Tuning (AWT), a novel data-free method that enhances the transferability of adversarial examples by optimizing model smoothness and flat local maxima, outperforming existing attacks.

Contribution

The paper proposes AWT, a new adversarial attack method that adaptively tunes surrogate model parameters to improve transferability without extra data, grounded in insights about model smoothness and local maxima.

Findings

AWT achieves nearly 5 ext% and 10 ext% higher attack success rates on CNN and Transformer models.

Extensive experiments demonstrate AWT's superior transferability over state-of-the-art attacks.

Theoretical analysis links model smoothness and flat local maxima to adversarial transferability.

Abstract

Deep neural networks (DNNs) are vulnerable to adversarial examples (AEs) that mislead the model while appearing benign to human observers. A critical concern is the transferability of AEs, which enables black-box attacks without direct access to the target model. However, many previous attacks have failed to explain the intrinsic mechanism of adversarial transferability. In this paper, we rethink the property of transferable AEs and reformulate the formulation of transferability. Building on insights from this mechanism, we analyze the generalization of AEs across models with different architectures and prove that we can find a local perturbation to mitigate the gap between surrogate and target models. We further establish the inner connections between model smoothness and flat local maxima, both of which contribute to the transferability of AEs. Further, we propose a new adversarial attack algorithm, \textbf{A}dversarial \textbf{W}eight \textbf{T}uning (AWT), which adaptively adjusts the parameters of the surrogate model using generated AEs to optimize the flat local maxima and model smoothness simultaneously, without the need for extra data. AWT is a data-free tuning method that combines gradient-based and model-based attack methods to enhance the transferability of AEs. Extensive experiments on a variety of models with different architectures on ImageNet demonstrate that AWT yields superior performance over other attacks, with an average increase of nearly 5\% and 10\% attack success rates on CNN-based and Transformer-based models, respectively, compared to state-of-the-art attacks. Code available at https://github.com/xaddwell/AWT.