Disrupting Semantic and Abstract Features for Better Adversarial Transferability

TL;DR

This paper introduces SAFER, a novel method that disrupts both semantic and abstract features in images by manipulating high-frequency components, significantly enhancing the transferability of adversarial examples across neural networks.

Contribution

SAFER is the first approach to simultaneously target semantic and high-frequency features for improved adversarial transferability.

Findings

SAFER outperforms existing methods in transferability on ImageNet.

Disrupting high-frequency features enhances attack success in black-box settings.

The method effectively combines semantic and abstract feature disruption for stronger adversarial attacks.

Abstract

Adversarial examples pose significant threats to deep neural networks (DNNs), and their property of transferability in the black-box setting has led to the emergence of transfer-based attacks, making it feasible to target real-world applications employing DNNs. Among them, feature-level attacks, where intermediate features are perturbed based on feature importance weight matrix computed from transformed images, have gained popularity. In this work, we find that existing feature-level attacks primarily manipulate the semantic information to derive the weight matrix. Inspired by several works that find CNNs tend to focus more on high-frequency components (a.k.a. abstract features, e.g., texture, edge, etc.), we validate that transforming images in the high-frequency space also improves transferability. Based on this finding, we propose a balanced approach called Semantic and Abstract FEatures disRuption (SAFER). Specifically, SAFER conducts BLOCKMIX on the input image and SELF-MIX on the frequency spectrum when computing the weight matrix to highlight crucial features. By using such a weight matrix, we can direct the attacker to disrupt both semantic and abstract features, leading to improved transferability. Extensive experiments on the ImageNet dataset also demonstrate the effectiveness of our method in boosting adversarial transferability.