The Relationship Between Network Similarity and Transferability of Adversarial Attacks

TL;DR

This paper explores how the similarity between neural networks influences the success of transferred adversarial attacks, providing insights for designing more robust models and demonstrating predictive modeling of attack success rates.

Contribution

It introduces a detailed analysis of network similarity's impact on attack transferability and proposes a predictive model with over 90% accuracy for attack success rates.

Findings

Network similarity varies across architectures, with complex models like DenseNet showing lower similarity.

Layer similarity is highest in basic layers such as Conv2d and Dropout.

A DecisionTreeRegressor can predict attack success rates with over 90% accuracy.

Abstract

Neural networks are vulnerable to adversarial attacks, and several defenses have been proposed. Designing a robust network is a challenging task given the wide range of attacks that have been developed. Therefore, we aim to provide insight into the influence of network similarity on the success rate of transferred adversarial attacks. Network designers can then compare their new network with existing ones to estimate its vulnerability. To achieve this, we investigate the complex relationship between network similarity and the success rate of transferred adversarial attacks. We applied the Centered Kernel Alignment (CKA) network similarity score and used various methods to find a correlation between a large number of Convolutional Neural Networks (CNNs) and adversarial attacks. Network similarity was found to be moderate across different CNN architectures, with more complex models such as DenseNet showing lower similarity scores due to their architectural complexity. Layer similarity was highest for consistent, basic layers such as DataParallel, Dropout and Conv2d, while specialized layers showed greater variability. Adversarial attack success rates were generally consistent for non-transferred attacks, but varied significantly for some transferred attacks, with complex networks being more vulnerable. We found that a DecisionTreeRegressor can predict the success rate of transferred attacks for all black-box and Carlini & Wagner attacks with an accuracy of over 90%, suggesting that predictive models may be viable under certain conditions. However, the variability of results across different data subsets underscores the complexity of these relationships and suggests that further research is needed to generalize these findings across different attack scenarios and network architectures.