Improving Transferable Targeted Attacks with Feature Tuning Mixup

TL;DR

This paper introduces Feature Tuning Mixup (FTM), a novel method that improves the transferability of targeted adversarial attacks on DNNs by combining optimized feature perturbations with ensemble strategies, achieving better results with lower computational costs.

Contribution

The paper proposes FTM, a new approach that optimizes feature space perturbations for more transferable targeted attacks, outperforming existing methods with reduced computational overhead.

Findings

FTM significantly improves attack transferability across models.

Ensemble of FTM-perturbed models enhances attack success rates.

Method maintains low computational cost while outperforming state-of-the-art.

Abstract

Deep neural networks (DNNs) exhibit vulnerability to adversarial examples that can transfer across different DNN models. A particularly challenging problem is developing transferable targeted attacks that can mislead DNN models into predicting specific target classes. While various methods have been proposed to enhance attack transferability, they often incur substantial computational costs while yielding limited improvements. Recent clean feature mixup methods use random clean features to perturb the feature space but lack optimization for disrupting adversarial examples, overlooking the advantages of attack-specific perturbations. In this paper, we propose Feature Tuning Mixup (FTM), a novel method that enhances targeted attack transferability by combining both random and optimized noises in the feature space. FTM introduces learnable feature perturbations and employs an efficient stochastic update strategy for optimization. These learnable perturbations facilitate the generation of more robust adversarial examples with improved transferability. We further demonstrate that attack performance can be enhanced through an ensemble of multiple FTM-perturbed surrogate models. Extensive experiments on the ImageNet-compatible dataset across various DNN models demonstrate that our method achieves significant improvements over state-of-the-art methods while maintaining low computational cost.