Abstract:Adversarial examples refer to the malicious inputs that can mislead deep neural networks (DNNs) to falsely classify them. In practice, some adversarial examples are transferable and hence can deceive different target models. In multi-stage ensemble adversarial example attacks, adversaries can generate strongly transferable adversarial examples through iteratively perturbing legitimate examples to attack well-trained source models in a white-box manner. Limited by computational and memory resources (e.g., GPU memory), however, adversaries cannot handle all models and all legitimate examples at a time. This brings an important but never studied research issue: how to optimally schedule source models and appropriately select samples to improve adversarial example transferability and reduce unnecessary computational overheads? To shed light on this problem, we develop a novel multi-stage ensemble adversarial example attack method based on our proposed strategies of model scheduling and sample selection. The first strategy schedules source models to be attacked in every stage, based on the criteria of decision boundary similarity and model diversity. The second selects input samples to be handled by ensemble attacks, according to their sensitivity level for adversarial perturbations. To our knowledge, we are the first to study model scheduling and sample selection for multi-stage ensemble attacks. We conduct extensive experiments on three datasets with a variety of source and target models. Experiments show that our model scheduling based ensemble attack outperforms the all-model ensemble attack and the state-of-the-art ensemble attacks SCES, SMBEA and EnsembleFool in transferability. Moreover, our sample selection strategy improves attack success rate by about 138%. (C) 2022 Elsevier Ltd. All rights reserved.

Model scheduling and sample selection for ensemble adversarial example attacks

A New Ensemble Method for Concessively Targeted Multi-model Attack

Rethinking Model Ensemble in Transfer-based Adversarial Attacks

Understanding Model Ensemble in Transferable Adversarial Attack

An Adaptive Model Ensemble Adversarial Attack for Boosting Adversarial Transferability

Boosting the Transferability of Ensemble Adversarial Attack via Stochastic Average Variance Descent

Ensemble-based Blackbox Attacks on Dense Prediction

Stochastic Variance Reduced Ensemble Adversarial Attack for Boosting the Adversarial Transferability

Omni: Automated Ensemble with Unexpected Models against Adversarial Evasion Attack

Enhancing Adversarial Attacks: The Similar Target Method

Delving into Transferable Adversarial Examples and Black-box Attacks

Strong Transferable Adversarial Attacks via Ensembled Asymptotically Normal Distribution Learning

Scaling Laws for Black box Adversarial Attacks

Improving Adversarial Robustness of Ensemble Classifiers by Diversified Feature Selection and Stochastic Aggregation

Ensemble Adversarial Training: Attacks and Defenses

DVERGE: Diversifying Vulnerabilities for Enhanced Robust Generation of Ensembles

Improving the Transferability of Adversarial Examples with Resized-Diverse-Inputs, Diversity-Ensemble and Region Fitting

Dynamic Defense Approach for Adversarial Robustness in Deep Neural Networks via Stochastic Ensemble Smoothed Model

Ensemble Methods as a Defense to Adversarial Perturbations Against Deep Neural Networks

SS-CMT: a label independent cross-modal transferable adversarial video attack with sparse strategy

Towards the Transferable Audio Adversarial Attack via Ensemble Methods