Admix: Enhancing the Transferability of Adversarial Attacks

• URL: http://arxiv.org/abs/2102.00436v1
• Date: Sun, 31 Jan 2021 11:40:50 GMT
• Title: Admix: Enhancing the Transferability of Adversarial Attacks
• Authors: Xiaosen Wang, Xuanran He, Jingdong Wang, Kun He
• Abstract summary: We propose a new input transformation based attack called Admix Attack Method (AAM) AAM considers both the original image and an image randomly picked from other categories. Our method could further improve the transferability and outperform the state-of-the-art combination of input transformations by a clear margin of 3.4%.
• Score: 46.69028919537312
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Although adversarial attacks have achieved incredible attack success rates under the white-box setting, most existing adversaries often exhibit weak transferability under the black-box setting. To address this issue, various input transformations have been proposed to enhance the attack transferability. In this work, We observe that all the existing transformations are applied on a single image, which might limit the transferability of the crafted adversaries. Hence, we propose a new input transformation based attack called Admix Attack Method (AAM) that considers both the original image and an image randomly picked from other categories. Instead of directly calculating the gradient on the original input, AAM calculates the gradient on the admixed image interpolated by the two images in order to craft adversaries with higher transferablility. Empirical evaluations on the standard ImageNet dataset demonstrate that AAM could achieve much higher transferability than the existing input transformation methods. By incorporating with other input transformations, our method could further improve the transferability and outperform the state-of-the-art combination of input transformations by a clear margin of 3.4% on average when attacking nine advanced defense models.

Related papers

• TranSegPGD: Improving Transferability of Adversarial Examples on Semantic Segmentation [62.954089681629206]
  We propose an effective two-stage adversarial attack strategy to improve the transferability of adversarial examples on semantic segmentation. The proposed adversarial attack method can achieve state-of-the-art performance.
  arXiv  Detail & Related papers  (2023-12-03T00:48:33Z)
• Rethinking Mixup for Improving the Adversarial Transferability [6.2867306093287905]
  We propose a new input transformation-based attack called Mixing the Image but Separating the gradienT (MIST) MIST randomly mixes the input image with a randomly shifted image and separates the gradient of each loss item for each mixed image. Experiments on the ImageNet dataset demonstrate that MIST outperforms existing SOTA input transformation-based attacks.
  arXiv  Detail & Related papers  (2023-11-28T03:10:44Z)
• Structure Invariant Transformation for better Adversarial Transferability [9.272426833639615]
  We propose a novel input transformation based attack, called Structure Invariant Attack (SIA) SIA applies a random image transformation onto each image block to craft a set of diverse images for gradient calculation. Experiments on the standard ImageNet dataset demonstrate that SIA exhibits much better transferability than the existing SOTA input transformation based attacks.
  arXiv  Detail & Related papers  (2023-09-26T06:31:32Z)
• Improving the Transferability of Adversarial Examples with Arbitrary Style Transfer [32.644062141738246]
  A style transfer network can alter the distribution of low-level visual features in an image while preserving semantic content for humans. We propose a novel attack method named Style Transfer Method (STM) that utilizes a proposed arbitrary style transfer network to transform the images into different domains. Our proposed method can significantly improve the adversarial transferability on either normally trained models or adversarially trained models.
  arXiv  Detail & Related papers  (2023-08-21T09:58:13Z)
• Boosting Adversarial Transferability by Block Shuffle and Rotation [25.603307815394764]
  We propose a novel input transformation based attack called block shuffle and rotation (BSR) BSR splits the input image into several blocks, then randomly shuffles and rotates these blocks to construct a set of new images for gradient calculation. Empirical evaluations on the ImageNet dataset demonstrate that BSR could achieve significantly better transferability than the existing input transformation based methods.
  arXiv  Detail & Related papers  (2023-08-20T15:38:40Z)
• Adaptive Image Transformations for Transfer-based Adversarial Attack [73.74904401540743]
  We propose a novel architecture, called Adaptive Image Transformation Learner (AITL) Our elaborately designed learner adaptively selects the most effective combination of image transformations specific to the input image. Our method significantly improves the attack success rates on both normally trained models and defense models under various settings.
  arXiv  Detail & Related papers  (2021-11-27T08:15:44Z)
• Towards Transferable Adversarial Attacks on Vision Transformers [110.55845478440807]
  Vision transformers (ViTs) have demonstrated impressive performance on a series of computer vision tasks, yet they still suffer from adversarial examples. We introduce a dual attack framework, which contains a Pay No Attention (PNA) attack and a PatchOut attack, to improve the transferability of adversarial samples across different ViTs.
  arXiv  Detail & Related papers  (2021-09-09T11:28:25Z)
• Improving Adversarial Transferability with Gradient Refining [7.045900712659982]
  Adversarial examples are crafted by adding human-imperceptible perturbations to original images. Deep neural networks are vulnerable to adversarial examples, which are crafted by adding human-imperceptible perturbations to original images.
  arXiv  Detail & Related papers  (2021-05-11T07:44:29Z)
• Gradient-based Adversarial Attacks against Text Transformers [96.73493433809419]
  We propose the first general-purpose gradient-based attack against transformer models. We empirically demonstrate that our white-box attack attains state-of-the-art attack performance on a variety of natural language tasks.
  arXiv  Detail & Related papers  (2021-04-15T17:43:43Z)
• Error Diffusion Halftoning Against Adversarial Examples [85.11649974840758]
  Adversarial examples contain carefully crafted perturbations that can fool deep neural networks into making wrong predictions. We propose a new image transformation defense based on error diffusion halftoning, and combine it with adversarial training to defend against adversarial examples.
  arXiv  Detail & Related papers  (2021-01-23T07:55:02Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.