Abstract:Deep neural networks could be fooled by adversarial examples with trivial differences to original samples. To keep the difference imperceptible in human eyes, researchers bound the adversarial perturbations by the ℓ <inf xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">∞</inf> norm, which is now commonly served as the standard to align the strength of different attacks for a fair comparison. However, we propose that using the ℓ <inf xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">∞</inf> norm alone is not sufficient in measuring the attack strength, because even with a fixed ℓ <inf xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">∞</inf> distance, the ℓ <inf xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</inf> distance also greatly affects the attack transferability between models. Through the discovery, we reach more in-depth understandings towards the attack mechanism, i.e., several existing methods attack black-box models better partly because they craft perturbations with 70% to 130% larger ℓ <inf xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</inf> distances. Since larger perturbations naturally lead to better transferability, we thereby advocate that the strength of attacks should be simultaneously measured by both the ℓ <inf xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">∞</inf> and ℓ <inf xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</inf> norm. Our proposal is firmly supported by extensive experiments on ImageNet dataset from 7 attacks, 4 white-box models, and 9 black-box models.

Measuring the Transferability of ℓ<inf>∞</inf> Attacks by the ℓ<inf>2</inf> Norm

Measuring the Transferability of $\ell_\infty$ Attacks by the $\ell_2$ Norm

Measuring `∞ Attacks by the `2 Norm

Measuring $\ell_\infty$ Attacks by the $\ell_2$ Norm

Transfer Attacks Revisited: A Large-Scale Empirical Study in Real Computer Vision Settings

Going Far Boosts Attack Transferability, but Do Not Do It.

Bag of Tricks to Boost Adversarial Transferability

Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks

Based on Max-Min Framework Transferable Adversarial Attacks

How to choose your best allies for a transferable attack?

A Low-Query Black-Box Adversarial Attack Based on Transferability

Towards Evaluating Transfer-based Attacks Systematically, Practically, and Fairly

Understanding and Enhancing the Transferability of Adversarial Examples

Delving into Transferable Adversarial Examples and Black-box Attacks

Diffusion Models for Imperceptible and Transferable Adversarial Attack

Demystifying the Transferability of Adversarial Attacks in Computer Networks

Revisiting Transferable Adversarial Image Examples: Attack Categorization, Evaluation Guidelines, and New Insights

Quantization Aware Attack: Enhancing Transferable Adversarial Attacks by Model Quantization

Luring of transferable adversarial perturbations in the black-box paradigm

Enhancing Adversarial Transferability with Adversarial Weight Tuning

Scaling Laws for Black box Adversarial Attacks