Abstract:The transferability and robustness of adversarial examples are two practical and important properties for black- box adversarial attacks. In this paper, we explore effective mechanisms to boost both of them across network hierarchy. In general, a typical network can be hierarchically divided into output stage, intermediate stage and input stage. Due to the over-specialization of the substitute model, we can hardly improve the transferability and robustness of the adversarial perturbations in the output stage. Therefore, we focus on manipulating the intermediate and input stages in this paper, and propose a Transferable and Robust Adversarial Perturbation generation (TRAP) method. Specifically, we propose the dynamically guided mechanism to continuously calculate accurate directional guidances for perturbation generation in the intermediate stage. In the input stage, instead of employing the single-form transformation augmentations adopted in the existing methods, we leverage multi-form affine transformation augmentations to enrich the input diversity and simultaneously boost the robustness and transferability of the adversarial perturbations. Extensive evaluations on ImageNet validation set demonstrate that our TRAP achieves superior transferability when attacking convolution neural networks (CNNs) and vision transformers (ViTs) compared to closely related state-of-the-art methods. For instance, based on the ResNet-101 model, we achieve an average attack success rate of 97.5% on black-box CNN models and 70.1% on ViT models, respectively. Moreover, TRAP exhibits robust performance against various physical-world interferences, such as Gaussian blurring, Gaussian noise, JPEG compression, color distortions, image erosion and image dilation. Additionally, we also show the potential application of our TRAP method for proactive defense against deepfake.

Exploring Transferable and Robust Adversarial Perturbation Generation Across Network Hierarchy

Bag of Tricks to Boost Adversarial Transferability

Improving Transferability of Universal Adversarial Perturbation with Feature Disruption.

Towards Transferable Adversarial Attacks with Centralized Perturbation

Improving Adversarial Transferability with Heuristic Random Transformation.

Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks

Improving Transferability of Adversarial Examples with Adversaries Competition

Robustness and Transferability of Adversarial Attacks on Different Image Classification Neural Networks

Robust Attack with Adaptive Compress Adversarial Perturbations

Channel-augmented Joint Transformation for Transferable Adversarial Attacks

Understanding and Enhancing the Transferability of Adversarial Examples

Towards transferable adversarial attacks on vision transformers for image classification

Improving Transferability of Adversarial Examples With Input Diversity

Robust Universal Adversarial Perturbations

Generalizing universal adversarial perturbations for deep neural networks

Improving Adversarial Transferability with Gradient Refining

TransRPN: Towards the Transferable Adversarial Perturbations using Region Proposal Networks and Beyond

Towards Transferable Adversarial Attacks on Image and Video Transformers

A Target-oriented Approach to Enhancing the Transferability of Targeted Adversarial Attacks

Crafting Universal Adversarial Perturbations with Output Vectors

Generating Adversarial Examples with Controllable Non-transferability