Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Bag of Tricks to Boost Adversarial Transferability

Zeliang Zhang, Wei Yao, Xiaosen Wang

TL;DR

Adversarial transferability is a critical risk when perturbations are crafted on a surrogate model for black-box targets. This work systematically studies how hyperparameters like the number of iterations $T$, step size $\alpha$, and momentum factors influence cross-model success under an $l_\infty$ budget $\epsilon=16/255$, and then proposes a bag of tricks: momentum initialization, scheduled step size, dual examples, spectral-based input transformations, and ensemble strategies. Through extensive ImageNet experiments, the authors show that integrating these tricks yields sizable gains over baselines and remains effective against defenses and real-world systems such as Google's Vision API. The results provide practical guidance for evaluating and enhancing adversarial transferability in real-world, black-box settings, while also motivating theoretical questions about optimization dynamics and step-size schedules in attack generation.

Abstract

Deep neural networks are widely known to be vulnerable to adversarial examples. However, vanilla adversarial examples generated under the white-box setting often exhibit low transferability across different models. Since adversarial transferability poses more severe threats to practical applications, various approaches have been proposed for better transferability, including gradient-based, input transformation-based, and model-related attacks, \etc. In this work, we find that several tiny changes in the existing adversarial attacks can significantly affect the attack performance, \eg, the number of iterations and step size. Based on careful studies of existing adversarial attacks, we propose a bag of tricks to enhance adversarial transferability, including momentum initialization, scheduled step size, dual example, spectral-based input transformation, and several ensemble strategies. Extensive experiments on the ImageNet dataset validate the high effectiveness of our proposed tricks and show that combining them can further boost adversarial transferability. Our work provides practical insights and techniques to enhance adversarial transferability, and offers guidance to improve the attack performance on the real-world application through simple adjustments.

Bag of Tricks to Boost Adversarial Transferability

TL;DR

Adversarial transferability is a critical risk when perturbations are crafted on a surrogate model for black-box targets. This work systematically studies how hyperparameters like the number of iterations , step size , and momentum factors influence cross-model success under an budget , and then proposes a bag of tricks: momentum initialization, scheduled step size, dual examples, spectral-based input transformations, and ensemble strategies. Through extensive ImageNet experiments, the authors show that integrating these tricks yields sizable gains over baselines and remains effective against defenses and real-world systems such as Google's Vision API. The results provide practical guidance for evaluating and enhancing adversarial transferability in real-world, black-box settings, while also motivating theoretical questions about optimization dynamics and step-size schedules in attack generation.

Abstract

Deep neural networks are widely known to be vulnerable to adversarial examples. However, vanilla adversarial examples generated under the white-box setting often exhibit low transferability across different models. Since adversarial transferability poses more severe threats to practical applications, various approaches have been proposed for better transferability, including gradient-based, input transformation-based, and model-related attacks, \etc. In this work, we find that several tiny changes in the existing adversarial attacks can significantly affect the attack performance, \eg, the number of iterations and step size. Based on careful studies of existing adversarial attacks, we propose a bag of tricks to enhance adversarial transferability, including momentum initialization, scheduled step size, dual example, spectral-based input transformation, and several ensemble strategies. Extensive experiments on the ImageNet dataset validate the high effectiveness of our proposed tricks and show that combining them can further boost adversarial transferability. Our work provides practical insights and techniques to enhance adversarial transferability, and offers guidance to improve the attack performance on the real-world application through simple adjustments.
Paper Structure (37 sections, 2 equations, 11 figures, 17 tables, 3 algorithms)

This paper contains 37 sections, 2 equations, 11 figures, 17 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Related work
  3. Adversarial attack and adversarial transferability
  4. Adversarial defense
  5. Bag of tricks
  6. Hyper-parameters study
  7. Momentum initialization
  8. Scheduled step size
  9. Dual example
  10. Input transformation-based attacks using spectral simulations
  11. Ensemble strategies
  12. Evaluation on the combined tricks
  13. Conclusion
  14. Experiment settings
  15. Implementation details for our tricks
  16. ...and 22 more sections

Figures (11)

  • Figure 1: Attack success rates (%) of $100$ adversarial examples against Google's vision API with VGG-16 as the surrogate model. We denote Vanilla as the general setting, Adjustment as adjusting the hyper-parameters, and Tricks as being integrated with our tricks.
  • Figure 2: Hyper-parameters studies of seven iterative adversarial attacks on the number of iterations, scale factor for step size and decay factor.
  • Figure 3: Scheduled step size at various iterations.
  • Figure 4: Attack success rates (%) when varying the number of copies.
  • Figure 5: Average attack success rates (%) of baselines and proposed tricks on SSA.
  • ...and 6 more figures