The Ultimate Combo: Boosting Adversarial Example Transferability by Composing Data Augmentations

Zebin Yun,Achi-Or Weingarten,Eyal Ronen,Mahmood Sharif
2024-10-23
Abstract:To help adversarial examples generalize from surrogate machine-learning (ML) models to targets, certain transferability-based black-box evasion attacks incorporate data augmentations (e.g., random resizing). Yet, prior work has explored limited augmentations and their composition. To fill the gap, we systematically studied how data augmentation affects transferability. Specifically, we explored 46 augmentation techniques originally proposed to help ML models generalize to unseen benign samples, and assessed how they impact transferability, when applied individually or composed. Performing exhaustive search on a small subset of augmentation techniques and genetic search on all techniques, we identified augmentation combinations that help promote transferability. Extensive experiments with the ImageNet and CIFAR-10 datasets and 18 models showed that simple color-space augmentations (e.g., color to greyscale) attain high transferability when combined with standard augmentations. Furthermore, we discovered that composing augmentations impacts transferability mostly monotonically (i.e., more augmentations $\rightarrow$ $\ge$transferability). We also found that the best composition significantly outperformed the state of the art (e.g., 91.8% vs. $\le$82.5% average transferability to adversarially trained targets on ImageNet). Lastly, our theoretical analysis, backed by empirical evidence, intuitively explains why certain augmentations promote transferability.
Computer Vision and Pattern Recognition
What problem does this paper attempt to address?
The problem that this paper attempts to solve is how to improve the transferability of adversarial examples through combined data augmentation techniques. Specifically, the paper explores the effects of 46 different data augmentation techniques and their combinations on the transfer of adversarial examples from surrogate models to target models. The research aims to systematically analyze how these augmentation techniques affect the transferability of adversarial examples when used alone or in combination, and to find the best augmentation combinations that can significantly improve transferability. ### Main Contributions 1. **Performance of Simple Color - Space Augmentation Techniques**: - The study found that simple color - space augmentation techniques (such as color - to - grayscale conversion), when combined with standard augmentation techniques, can achieve transfer performance comparable to or even better than the existing state - of - the - art techniques. At the same time, these techniques can also reduce the running - time cost. 2. **Parallel - Combination Augmentation Techniques**: - A parallel - combination method is proposed, which can integrate a large number of augmentation techniques into an attack. The experimental results show that, compared with the previously used serial - combination method, this method can more effectively improve transferability. In addition, the study also found that as the number of augmentation techniques increases, the transferability generally shows a monotonically increasing trend. 3. **Discovery of the Best Augmentation Combinations**: - Through exhaustive search and genetic search, the best augmentation combinations that can significantly improve transferability are discovered. These combinations perform better than the existing state - of - the - art techniques on multiple datasets and models. 4. **Theoretical Analysis**: - It is theoretically proven that certain augmentation techniques can improve transferability by smoothing the gradients of surrogate models. Experimental evidence supports this theoretical analysis. ### Methods - **Selection of Data Augmentation Techniques**: - The paper selects 46 different data augmentation techniques, covering seven categories, including color - space transformation, random deletion, kernel filters, image mixing, style transfer, meta - learning - inspired augmentation techniques, and spatial transformation. - **Combination Methods**: - Two methods, parallel combination and serial combination, are adopted. The parallel - combination method independently applies each augmentation technique to the input and then merges the outputs; while the serial - combination method applies the augmentation techniques in sequence. The experimental results show that the parallel - combination method performs better in most cases. - **Search Strategies**: - Exhaustive search and genetic search are used to discover the best augmentation combinations. Exhaustive search is effective on small - scale datasets, while genetic search is suitable for large - scale datasets and can find high - performance augmentation combinations in a relatively short time. ### Experimental Results - **Transfer Performance**: - The experimental results show that the best augmentation combinations significantly improve the transferability of adversarial examples on the ImageNet and CIFAR - 10 datasets, especially on adversarially trained models. - **Theoretical Verification**: - By analyzing the influence of augmentation techniques on the model gradients, the theoretical analysis shows that certain augmentation techniques can smooth the gradients, thereby improving transferability. Experimental evidence further supports this conclusion. ### Conclusion By systematically studying the effects of multiple data augmentation techniques and their combinations on the transferability of adversarial examples, the paper discovers the best augmentation combinations that can significantly improve transferability. These findings not only provide new methods for improving the transferability of adversarial examples, but also provide a theoretical basis for understanding how augmentation techniques affect transferability.