Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Boosting the Transferability of Adversarial Examples via Local Mixup and Adaptive Step Size

Junlin Liu, Xinchen Lyu

TL;DR

This work tackles black-box adversarial transferability by introducing IDAA, a framework that simultaneously strengthens input diversity and adapts perturbation step sizes. It achieves this through a local mixup strategy applied to groups of transformed images, and a $\tanh$-space perturbation with second-order momentum to adjust step sizes across image regions. The method demonstrates superior transferability on ImageNet across multiple naturally trained and adversarially trained models, and it can enhance existing input-diversity attacks as well as ensemble-based strategies. The results suggest practical implications for evaluating and improving robustness of deep vision models in black-box scenarios, while also providing insights into how regional differences in images influence attack effectiveness.

Abstract

Adversarial examples are one critical security threat to various visual applications, where injected human-imperceptible perturbations can confuse the output.Generating transferable adversarial examples in the black-box setting is crucial but challenging in practice. Existing input-diversity-based methods adopt different image transformations, but may be inefficient due to insufficient input diversity and an identical perturbation step size. Motivated by the fact that different image regions have distinctive weights in classification, this paper proposes a black-box adversarial generative framework by jointly designing enhanced input diversity and adaptive step sizes. We design local mixup to randomly mix a group of transformed adversarial images, strengthening the input diversity. For precise adversarial generation, we project the perturbation into the $tanh$ space to relax the boundary constraint. Moreover, the step sizes of different regions can be dynamically adjusted by integrating a second-order momentum.Extensive experiments on ImageNet validate that our framework can achieve superior transferability compared to state-of-the-art baselines.

Boosting the Transferability of Adversarial Examples via Local Mixup and Adaptive Step Size

TL;DR

This work tackles black-box adversarial transferability by introducing IDAA, a framework that simultaneously strengthens input diversity and adapts perturbation step sizes. It achieves this through a local mixup strategy applied to groups of transformed images, and a -space perturbation with second-order momentum to adjust step sizes across image regions. The method demonstrates superior transferability on ImageNet across multiple naturally trained and adversarially trained models, and it can enhance existing input-diversity attacks as well as ensemble-based strategies. The results suggest practical implications for evaluating and improving robustness of deep vision models in black-box scenarios, while also providing insights into how regional differences in images influence attack effectiveness.

Abstract

Adversarial examples are one critical security threat to various visual applications, where injected human-imperceptible perturbations can confuse the output.Generating transferable adversarial examples in the black-box setting is crucial but challenging in practice. Existing input-diversity-based methods adopt different image transformations, but may be inefficient due to insufficient input diversity and an identical perturbation step size. Motivated by the fact that different image regions have distinctive weights in classification, this paper proposes a black-box adversarial generative framework by jointly designing enhanced input diversity and adaptive step sizes. We design local mixup to randomly mix a group of transformed adversarial images, strengthening the input diversity. For precise adversarial generation, we project the perturbation into the space to relax the boundary constraint. Moreover, the step sizes of different regions can be dynamically adjusted by integrating a second-order momentum.Extensive experiments on ImageNet validate that our framework can achieve superior transferability compared to state-of-the-art baselines.
Paper Structure (21 sections, 12 equations, 5 figures, 10 tables, 1 algorithm)

This paper contains 21 sections, 12 equations, 5 figures, 10 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Works
  3. Methodology
  4. Attack Objective
  5. Transformation and Local Mixup
  6. Tanh Projection
  7. Adaptive Step Size
  8. Experiments
  9. Experimental Setting
  10. Attacking Naturally Trained Models
  11. Integrating into Other Input-Diversity-Based Attacks.
  12. Attacking an Ensemble of Models.
  13. Attacking Adversarially Trained Models
  14. Ablation Study
  15. Conclusion
  16. ...and 6 more sections

Figures (5)

  • Figure 1: Overview of IDAA. Before sending to the surrogate model, the crafted adversarial examples are transformed by various image transformations. Then, the random regions of the transformed variants are mixed to further strengthen the input diversity.
  • Figure 2: Various differential image transformations adopted by IDAA. Origin is the raw image before the transformation.
  • Figure 3: Fooling and targeted success rates (%) against different step sizes. "*" is the white-box setting.
  • Figure 4: Fooling and targeted success rates (%) against different $\epsilon$ budgets.
  • Figure 5: Fooling and targeted success rates (%) against different group sizes.