Boosting Adversarial Transferability Against Defenses via Multi-Scale Transformation

TL;DR

This paper introduces the Segmented Gaussian Pyramid (SGP) attack, a multi-scale transformation method that significantly improves the transferability of adversarial examples against defense models.

Contribution

The paper proposes a novel multi-scale attack method using Gaussian filtering and downsampling to enhance adversarial transferability against defenses.

Findings

SGP increases attack success rates by up to 32.6%.

The method is easily integrated into existing attacks.

SGP outperforms state-of-the-art transferability methods.

Abstract

The transferability of adversarial examples poses a significant security challenge for deep neural networks, which can be attacked without knowing anything about them. In this paper, we propose a new Segmented Gaussian Pyramid (SGP) attack method to enhance the transferability, particularly against defense models. Unlike existing methods that generally focus on single-scale images, our approach employs Gaussian filtering and three types of downsampling to construct a series of multi-scale examples. Then, the gradients of the loss function with respect to each scale are computed, and their average is used to determine the adversarial perturbations. The proposed SGP can be considered an input transformation with high extensibility that is easily integrated into most existing adversarial attacks. Extensive experiments demonstrate that in contrast to the state-of-the-art methods, SGP significantly enhances attack success rates against black-box defense models, with average attack success rates increasing by 2.3% to 32.6%, based only on transferability.