Improving Integrated Gradient-based Transferable Adversarial Examples by Refining the Integration Path

TL;DR

This paper introduces MuMoDIG, a refined integrated gradient method that significantly enhances the transferability of adversarial examples across models and defenses, addressing limitations of previous IG-based attacks.

Contribution

The paper proposes MuMoDIG, a novel IG-based attack that refines the integration path through multiplicity, monotonicity, and diversity, improving transferability in black-box scenarios.

Findings

MuMoDIG outperforms existing IG-based attacks by up to 37.3%.

MuMoDIG surpasses other state-of-the-art attacks by 8.4%.

Theoretical analysis supports the effectiveness of the refined integration path.

Abstract

Transferable adversarial examples are known to cause threats in practical, black-box attack scenarios. A notable approach to improving transferability is using integrated gradients (IG), originally developed for model interpretability. In this paper, we find that existing IG-based attacks have limited transferability due to their naive adoption of IG in model interpretability. To address this limitation, we focus on the IG integration path and refine it in three aspects: multiplicity, monotonicity, and diversity, supported by theoretical analyses. We propose the Multiple Monotonic Diversified Integrated Gradients (MuMoDIG) attack, which can generate highly transferable adversarial examples on different CNN and ViT models and defenses. Experiments validate that MuMoDIG outperforms the latest IG-based attack by up to 37.3\% and other state-of-the-art attacks by 8.4\%. In general, our study reveals that migrating established techniques to improve transferability may require non-trivial efforts. Code is available at \url{https://github.com/RYC-98/MuMoDIG}.