Frequency Domain Model Augmentation for Adversarial Attack

• URL: http://arxiv.org/abs/2207.05382v1
• Date: Tue, 12 Jul 2022 08:26:21 GMT
• Title: Frequency Domain Model Augmentation for Adversarial Attack
• Authors: Yuyang Long, Qilong Zhang, Boheng Zeng, Lianli Gao, Xianglong Liu, Jian Zhang, Jingkuan Song
• Abstract summary: For black-box attacks, the gap between the substitute model and the victim model is usually large. We propose a novel spectrum simulation attack to craft more transferable adversarial examples against both normally trained and defense models.
• Score: 91.36850162147678
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: For black-box attacks, the gap between the substitute model and the victim model is usually large, which manifests as a weak attack performance. Motivated by the observation that the transferability of adversarial examples can be improved by attacking diverse models simultaneously, model augmentation methods which simulate different models by using transformed images are proposed. However, existing transformations for spatial domain do not translate to significantly diverse augmented models. To tackle this issue, we propose a novel spectrum simulation attack to craft more transferable adversarial examples against both normally trained and defense models. Specifically, we apply a spectrum transformation to the input and thus perform the model augmentation in the frequency domain. We theoretically prove that the transformation derived from frequency domain leads to a diverse spectrum saliency map, an indicator we proposed to reflect the diversity of substitute models. Notably, our method can be generally combined with existing attacks. Extensive experiments on the ImageNet dataset demonstrate the effectiveness of our method, \textit{e.g.}, attacking nine state-of-the-art defense models with an average success rate of \textbf{95.4\%}. Our code is available in \url{https://github.com/yuyang-long/SSA}.

Related papers

• An Adaptive Model Ensemble Adversarial Attack for Boosting Adversarial Transferability [26.39964737311377]
  We propose an adaptive ensemble attack, dubbed AdaEA, to adaptively control the fusion of the outputs from each model. We achieve considerable improvement over the existing ensemble attacks on various datasets.
  arXiv  Detail & Related papers  (2023-08-05T15:12:36Z)
• Boosting Adversarial Transferability with Learnable Patch-wise Masks [16.46210182214551]
  Adversarial examples have attracted widespread attention in security-critical applications because of their transferability across different models. In this paper, we argue that the model-specific discriminative regions are a key factor causing overfitting to the source model, and thus reducing the transferability to the target model. To accurately localize these regions, we present a learnable approach to automatically optimize the mask.
  arXiv  Detail & Related papers  (2023-06-28T05:32:22Z)
• Rethinking Model Ensemble in Transfer-based Adversarial Attacks [46.82830479910875]
  An effective strategy to improve the transferability is attacking an ensemble of models. Previous works simply average the outputs of different models. We propose a Common Weakness Attack (CWA) to generate more transferable adversarial examples.
  arXiv  Detail & Related papers  (2023-03-16T06:37:16Z)
• Making Substitute Models More Bayesian Can Enhance Transferability of Adversarial Examples [89.85593878754571]
  transferability of adversarial examples across deep neural networks is the crux of many black-box attacks. We advocate to attack a Bayesian model for achieving desirable transferability. Our method outperforms recent state-of-the-arts by large margins.
  arXiv  Detail & Related papers  (2023-02-10T07:08:13Z)
• Minimizing Maximum Model Discrepancy for Transferable Black-box Targeted Attacks [30.863450425927613]
  We study the black-box targeted attack problem from the model discrepancy perspective. We present a generalization error bound for black-box targeted attacks, which gives a rigorous theoretical analysis for guaranteeing the success of the attack. We derive a new algorithm for black-box targeted attacks based on our theoretical analysis.
  arXiv  Detail & Related papers  (2022-12-18T08:19:08Z)
• Enhancing Targeted Attack Transferability via Diversified Weight Pruning [0.3222802562733786]
  Malicious attackers can generate targeted adversarial examples by imposing human-imperceptible noise on images. With cross-model transferable adversarial examples, the vulnerability of neural networks remains even if the model information is kept secret from the attacker. Recent studies have shown the effectiveness of ensemble-based methods in generating transferable adversarial examples.
  arXiv  Detail & Related papers  (2022-08-18T07:25:48Z)
• Beyond ImageNet Attack: Towards Crafting Adversarial Examples for Black-box Domains [80.11169390071869]
  Adversarial examples have posed a severe threat to deep neural networks due to their transferable nature. We propose a Beyond ImageNet Attack (BIA) to investigate the transferability towards black-box domains. Our methods outperform state-of-the-art approaches by up to 7.71% (towards coarse-grained domains) and 25.91% (towards fine-grained domains) on average.
  arXiv  Detail & Related papers  (2022-01-27T14:04:27Z)
• Cross-Modal Transferable Adversarial Attacks from Images to Videos [82.0745476838865]
  Recent studies have shown that adversarial examples hand-crafted on one white-box model can be used to attack other black-box models. We propose a simple yet effective cross-modal attack method, named as Image To Video (I2V) attack. I2V generates adversarial frames by minimizing the cosine similarity between features of pre-trained image models from adversarial and benign examples.
  arXiv  Detail & Related papers  (2021-12-10T08:19:03Z)
• Training Meta-Surrogate Model for Transferable Adversarial Attack [98.13178217557193]
  We consider adversarial attacks to a black-box model when no queries are allowed. In this setting, many methods directly attack surrogate models and transfer the obtained adversarial examples to fool the target model. We show we can obtain a Meta-Surrogate Model (MSM) such that attacks to this model can be easier transferred to other models.
  arXiv  Detail & Related papers  (2021-09-05T03:27:46Z)
• Two Sides of the Same Coin: White-box and Black-box Attacks for Transfer Learning [60.784641458579124]
  We show that fine-tuning effectively enhances model robustness under white-box FGSM attacks. We also propose a black-box attack method for transfer learning models which attacks the target model with the adversarial examples produced by its source model. To systematically measure the effect of both white-box and black-box attacks, we propose a new metric to evaluate how transferable are the adversarial examples produced by a source model to a target model.
  arXiv  Detail & Related papers  (2020-08-25T15:04:32Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.