LRS: Enhancing Adversarial Transferability through Lipschitz Regularized
Surrogate
- URL: http://arxiv.org/abs/2312.13118v2
- Date: Mon, 22 Jan 2024 00:50:55 GMT
- Title: LRS: Enhancing Adversarial Transferability through Lipschitz Regularized
Surrogate
- Authors: Tao Wu, Tie Luo, and Donald C. Wunsch
- Abstract summary: The transferability of adversarial examples is of central importance to transfer-based black-box adversarial attacks.
We propose Lipschitz Regularized Surrogate (LRS) for transfer-based black-box attacks.
We evaluate our proposed LRS approach by attacking state-of-the-art standard deep neural networks and defense models.
- Score: 8.248964912483912
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: The transferability of adversarial examples is of central importance to
transfer-based black-box adversarial attacks. Previous works for generating
transferable adversarial examples focus on attacking \emph{given} pretrained
surrogate models while the connections between surrogate models and adversarial
trasferability have been overlooked. In this paper, we propose {\em Lipschitz
Regularized Surrogate} (LRS) for transfer-based black-box attacks, a novel
approach that transforms surrogate models towards favorable adversarial
transferability. Using such transformed surrogate models, any existing
transfer-based black-box attack can run without any change, yet achieving much
better performance. Specifically, we impose Lipschitz regularization on the
loss landscape of surrogate models to enable a smoother and more controlled
optimization process for generating more transferable adversarial examples. In
addition, this paper also sheds light on the connection between the inner
properties of surrogate models and adversarial transferability, where three
factors are identified: smaller local Lipschitz constant, smoother loss
landscape, and stronger adversarial robustness. We evaluate our proposed LRS
approach by attacking state-of-the-art standard deep neural networks and
defense models. The results demonstrate significant improvement on the attack
success rates and transferability. Our code is available at
https://github.com/TrustAIoT/LRS.
Related papers
- Advancing Generalized Transfer Attack with Initialization Derived Bilevel Optimization and Dynamic Sequence Truncation [49.480978190805125]
Transfer attacks generate significant interest for black-box applications.
Existing works essentially directly optimize the single-level objective w.r.t. surrogate model.
We propose a bilevel optimization paradigm, which explicitly reforms the nested relationship between the Upper-Level (UL) pseudo-victim attacker and the Lower-Level (LL) surrogate attacker.
arXiv Detail & Related papers (2024-06-04T07:45:27Z) - Efficient Generation of Targeted and Transferable Adversarial Examples for Vision-Language Models Via Diffusion Models [17.958154849014576]
Adversarial attacks can be used to assess the robustness of large visual-language models (VLMs)
Previous transfer-based adversarial attacks incur high costs due to high iteration counts and complex method structure.
We propose AdvDiffVLM, which uses diffusion models to generate natural, unrestricted and targeted adversarial examples.
arXiv Detail & Related papers (2024-04-16T07:19:52Z) - Rethinking the Backward Propagation for Adversarial Transferability [12.244490573612286]
Transfer-based attacks generate adversarial examples on the surrogate model, which can mislead other black-box models without access.
In this work, we identify that non-linear layers truncate the gradient during backward propagation, making the gradient w.r.t. input image imprecise to the loss function.
We propose a novel method to increase the relevance between the gradient w.r.t. input image and loss function so as to generate adversarial examples with higher transferability.
arXiv Detail & Related papers (2023-06-22T06:12:23Z) - Generating Adversarial Examples with Better Transferability via Masking
Unimportant Parameters of Surrogate Model [6.737574282249396]
We propose to improve the transferability of adversarial examples in the transfer-based attack via unimportant masking parameters (MUP)
The key idea in MUP is to refine the pretrained surrogate models to boost the transfer-based attack.
arXiv Detail & Related papers (2023-04-14T03:06:43Z) - Logit Margin Matters: Improving Transferable Targeted Adversarial Attack
by Logit Calibration [85.71545080119026]
Cross-Entropy (CE) loss function is insufficient to learn transferable targeted adversarial examples.
We propose two simple and effective logit calibration methods, which are achieved by downscaling the logits with a temperature factor and an adaptive margin.
Experiments conducted on the ImageNet dataset validate the effectiveness of the proposed methods.
arXiv Detail & Related papers (2023-03-07T06:42:52Z) - Boosting the Transferability of Adversarial Attacks with Reverse
Adversarial Perturbation [32.81400759291457]
adversarial examples can produce erroneous predictions by injecting imperceptible perturbations.
In this work, we study the transferability of adversarial examples, which is significant due to its threat to real-world applications.
We propose a novel attack method, dubbed reverse adversarial perturbation (RAP)
arXiv Detail & Related papers (2022-10-12T07:17:33Z) - Adversarial Pixel Restoration as a Pretext Task for Transferable
Perturbations [54.1807206010136]
Transferable adversarial attacks optimize adversaries from a pretrained surrogate model and known label space to fool the unknown black-box models.
We propose Adversarial Pixel Restoration as a self-supervised alternative to train an effective surrogate model from scratch.
Our training approach is based on a min-max objective which reduces overfitting via an adversarial objective.
arXiv Detail & Related papers (2022-07-18T17:59:58Z) - Transfer Attacks Revisited: A Large-Scale Empirical Study in Real
Computer Vision Settings [64.37621685052571]
We conduct the first systematic empirical study of transfer attacks against major cloud-based ML platforms.
The study leads to a number of interesting findings which are inconsistent to the existing ones.
We believe this work sheds light on the vulnerabilities of popular ML platforms and points to a few promising research directions.
arXiv Detail & Related papers (2022-04-07T12:16:24Z) - Training Meta-Surrogate Model for Transferable Adversarial Attack [98.13178217557193]
We consider adversarial attacks to a black-box model when no queries are allowed.
In this setting, many methods directly attack surrogate models and transfer the obtained adversarial examples to fool the target model.
We show we can obtain a Meta-Surrogate Model (MSM) such that attacks to this model can be easier transferred to other models.
arXiv Detail & Related papers (2021-09-05T03:27:46Z) - Boosting Black-Box Attack with Partially Transferred Conditional
Adversarial Distribution [83.02632136860976]
We study black-box adversarial attacks against deep neural networks (DNNs)
We develop a novel mechanism of adversarial transferability, which is robust to the surrogate biases.
Experiments on benchmark datasets and attacking against real-world API demonstrate the superior attack performance of the proposed method.
arXiv Detail & Related papers (2020-06-15T16:45:27Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.