Optimizing the Adversarial Perturbation with a Momentum-based Adaptive Matrix

TL;DR

This paper introduces AdaMI, a novel momentum-based adversarial attack that employs an adaptive matrix for improved transferability, stability, and imperceptibility in generating adversarial examples.

Contribution

It proposes a momentum-based adaptive matrix for adversarial attacks, addressing non-convergence issues and enhancing transferability over state-of-the-art methods.

Findings

AdaMI outperforms existing methods in transferability across networks.

The adaptive matrix improves attack stability and imperceptibility.

Theoretical proof of convergence for convex problems.

Abstract

Generating adversarial examples (AEs) can be formulated as an optimization problem. Among various optimization-based attacks, the gradient-based PGD and the momentum-based MI-FGSM have garnered considerable interest. However, all these attacks use the sign function to scale their perturbations, which raises several theoretical concerns from the point of view of optimization. In this paper, we first reveal that PGD is actually a specific reformulation of the projected gradient method using only the current gradient to determine its step-size. Further, we show that when we utilize a conventional adaptive matrix with the accumulated gradients to scale the perturbation, PGD becomes AdaGrad. Motivated by this analysis, we present a novel momentum-based attack AdaMI, in which the perturbation is optimized with an interesting momentum-based adaptive matrix. AdaMI is proved to attain optimal convergence for convex problems, indicating that it addresses the non-convergence issue of MI-FGSM, thereby ensuring stability of the optimization process. The experiments demonstrate that the proposed momentum-based adaptive matrix can serve as a general and effective technique to boost adversarial transferability over the state-of-the-art methods across different networks while maintaining better stability and imperceptibility.