Boosting Adversarial Transferability via Residual Perturbation Attack

TL;DR

This paper introduces Residual Perturbation Attack (ResPA), a novel method that improves adversarial transferability by guiding perturbations towards flat loss regions using residual gradients, outperforming existing methods.

Contribution

ResPA leverages residual gradients and exponential moving averages to enhance transferability of adversarial examples in black-box attacks, addressing limitations of prior flatness-based approaches.

Findings

ResPA achieves superior transferability compared to existing methods.

Combining ResPA with input transformations further improves attack success.

ResPA effectively guides adversarial examples toward flat loss regions.

Abstract

Deep neural networks are susceptible to adversarial examples while suffering from incorrect predictions via imperceptible perturbations. Transfer-based attacks create adversarial examples for surrogate models and transfer these examples to target models under black-box scenarios. Recent studies reveal that adversarial examples in flat loss landscapes exhibit superior transferability to alleviate overfitting on surrogate models. However, the prior arts overlook the influence of perturbation directions, resulting in limited transferability. In this paper, we propose a novel attack method, named Residual Perturbation Attack (ResPA), relying on the residual gradient as the perturbation direction to guide the adversarial examples toward the flat regions of the loss function. Specifically, ResPA conducts an exponential moving average on the input gradients to obtain the first moment as the reference gradient, which encompasses the direction of historical gradients. Instead of heavily relying on the local flatness that stems from the current gradients as the perturbation direction, ResPA further considers the residual between the current gradient and the reference gradient to capture the changes in the global perturbation direction. The experimental results demonstrate the better transferability of ResPA than the existing typical transfer-based attack methods, while the transferability can be further improved by combining ResPA with the current input transformation methods. The code is available at https://github.com/ZezeTao/ResPA.