Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

LRS: Enhancing Adversarial Transferability through Lipschitz Regularized Surrogate

Tao Wu, Tie Luo, Donald C. Wunsch

TL;DR

The work tackles limited transferability of adversarial examples in transfer-based black-box attacks by transforming surrogate models with Lipschitz regularization. It introduces two regularization schemes (LRS-1 on first-order loss and LRS-2 on second-order loss) and an extended LRS-F, all optimized via finite differences and applied as plug-ins to existing attacks. Empirical results on CIFAR-10 and ImageNet show substantial gains in attack success rates and transferability, attributed to smoother loss landscapes and reduced local Lipschitz constants; the approach also demonstrates robustness against defenses. The method provides new insights into the role of surrogate geometry in adversarial transferability and offers a practical, scalable way to enhance transfer-based attacks, with code released for reproducibility.

Abstract

The transferability of adversarial examples is of central importance to transfer-based black-box adversarial attacks. Previous works for generating transferable adversarial examples focus on attacking \emph{given} pretrained surrogate models while the connections between surrogate models and adversarial trasferability have been overlooked. In this paper, we propose {\em Lipschitz Regularized Surrogate} (LRS) for transfer-based black-box attacks, a novel approach that transforms surrogate models towards favorable adversarial transferability. Using such transformed surrogate models, any existing transfer-based black-box attack can run without any change, yet achieving much better performance. Specifically, we impose Lipschitz regularization on the loss landscape of surrogate models to enable a smoother and more controlled optimization process for generating more transferable adversarial examples. In addition, this paper also sheds light on the connection between the inner properties of surrogate models and adversarial transferability, where three factors are identified: smaller local Lipschitz constant, smoother loss landscape, and stronger adversarial robustness. We evaluate our proposed LRS approach by attacking state-of-the-art standard deep neural networks and defense models. The results demonstrate significant improvement on the attack success rates and transferability. Our code is available at https://github.com/TrustAIoT/LRS.

LRS: Enhancing Adversarial Transferability through Lipschitz Regularized Surrogate

TL;DR

The work tackles limited transferability of adversarial examples in transfer-based black-box attacks by transforming surrogate models with Lipschitz regularization. It introduces two regularization schemes (LRS-1 on first-order loss and LRS-2 on second-order loss) and an extended LRS-F, all optimized via finite differences and applied as plug-ins to existing attacks. Empirical results on CIFAR-10 and ImageNet show substantial gains in attack success rates and transferability, attributed to smoother loss landscapes and reduced local Lipschitz constants; the approach also demonstrates robustness against defenses. The method provides new insights into the role of surrogate geometry in adversarial transferability and offers a practical, scalable way to enhance transfer-based attacks, with code released for reproducibility.

Abstract

The transferability of adversarial examples is of central importance to transfer-based black-box adversarial attacks. Previous works for generating transferable adversarial examples focus on attacking \emph{given} pretrained surrogate models while the connections between surrogate models and adversarial trasferability have been overlooked. In this paper, we propose {\em Lipschitz Regularized Surrogate} (LRS) for transfer-based black-box attacks, a novel approach that transforms surrogate models towards favorable adversarial transferability. Using such transformed surrogate models, any existing transfer-based black-box attack can run without any change, yet achieving much better performance. Specifically, we impose Lipschitz regularization on the loss landscape of surrogate models to enable a smoother and more controlled optimization process for generating more transferable adversarial examples. In addition, this paper also sheds light on the connection between the inner properties of surrogate models and adversarial transferability, where three factors are identified: smaller local Lipschitz constant, smoother loss landscape, and stronger adversarial robustness. We evaluate our proposed LRS approach by attacking state-of-the-art standard deep neural networks and defense models. The results demonstrate significant improvement on the attack success rates and transferability. Our code is available at https://github.com/TrustAIoT/LRS.
Paper Structure (19 sections, 11 equations, 4 figures, 7 tables, 1 algorithm)

This paper contains 19 sections, 11 equations, 4 figures, 7 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Adversarial Transferability
  4. Connection with Surrogate Model's Geometry
  5. Methodology
  6. LRS-1: Lipschitz Regularization on the First Order of Loss Landscape
  7. LRS-2: Lipschitz Regularization on the Second Order of Loss Landscape
  8. Optimizing the Regularized Loss
  9. Evaluation
  10. Experiment Setup
  11. Experimental Results
  12. Exploring Further: Factors Enhancing Adversarial Transferability in Regularized Surrogate Models
  13. Ablation Studies
  14. Conclusion
  15. Comparison with SOTA on CIFAR10 dataset
  16. ...and 4 more sections

Figures (4)

  • Figure 1: The loss landscape of original and transformed surrogate model: corrugated vs. smooth. Transformed surrogate models offer more stable input gradients and make the generated AE more generalizable, enabling more potent attacks.
  • Figure 2: The loss of surrogate model (DenseNet) and target model (ResNet18), w.r.t. PGD-generated AE. It reveals that LRS-transformed models demonstrate more robustness and enable more transferable attacks.
  • Figure 3: Ablation studies on average ASR under different hyperparameters $h$ and $\lambda$, the performance gains are consistent in a wide range of hyper-parameter values.
  • Figure 4: Adversarial examples generated by our proposed LRS, showing that they are indistinguishable from original images by human eyes.

Theorems & Definitions (2)

  • Definition 1
  • Definition 2