Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Everywhere Attack: Attacking Locally and Globally to Boost Targeted Transferability

Hui Zeng, Sanshuai Cui, Biwei Chen, Anjie Peng

TL;DR

Targeted transferability of adversarial examples remains difficult due to model-specific attention patterns. The Everywhere Attack introduces a block-wise strategy that places multiple target instances across local image regions, aggregating them with the global image to better cover diverse victim-model attentions; this approach is compatible with existing attacks and is surprisingly effective across CNNs and transformers. Empirical results on ImageNet show broad improvements in targeted transferability for numerous attacks, including sizeable gains over Logit baselines, and the method also transfers to data-free UAPs and real-world systems like Google Cloud Vision. The technique offers a simple, scalable way to enhance targeted adversaries and provides new insights into attention-driven transfer phenomena with potential implications for defense strategies and robustness research.

Abstract

Adversarial examples' (AE) transferability refers to the phenomenon that AEs crafted with one surrogate model can also fool other models. Notwithstanding remarkable progress in untargeted transferability, its targeted counterpart remains challenging. This paper proposes an everywhere scheme to boost targeted transferability. Our idea is to attack a victim image both globally and locally. We aim to optimize 'an army of targets' in every local image region instead of the previous works that optimize a high-confidence target in the image. Specifically, we split a victim image into non-overlap blocks and jointly mount a targeted attack on each block. Such a strategy mitigates transfer failures caused by attention inconsistency between surrogate and victim models and thus results in stronger transferability. Our approach is method-agnostic, which means it can be easily combined with existing transferable attacks for even higher transferability. Extensive experiments on ImageNet demonstrate that the proposed approach universally improves the state-of-the-art targeted attacks by a clear margin, e.g., the transferability of the widely adopted Logit attack can be improved by 28.8%-300%.We also evaluate the crafted AEs on a real-world platform: Google Cloud Vision. Results further support the superiority of the proposed method.

Everywhere Attack: Attacking Locally and Globally to Boost Targeted Transferability

TL;DR

Targeted transferability of adversarial examples remains difficult due to model-specific attention patterns. The Everywhere Attack introduces a block-wise strategy that places multiple target instances across local image regions, aggregating them with the global image to better cover diverse victim-model attentions; this approach is compatible with existing attacks and is surprisingly effective across CNNs and transformers. Empirical results on ImageNet show broad improvements in targeted transferability for numerous attacks, including sizeable gains over Logit baselines, and the method also transfers to data-free UAPs and real-world systems like Google Cloud Vision. The technique offers a simple, scalable way to enhance targeted adversaries and provides new insights into attention-driven transfer phenomena with potential implications for defense strategies and robustness research.

Abstract

Adversarial examples' (AE) transferability refers to the phenomenon that AEs crafted with one surrogate model can also fool other models. Notwithstanding remarkable progress in untargeted transferability, its targeted counterpart remains challenging. This paper proposes an everywhere scheme to boost targeted transferability. Our idea is to attack a victim image both globally and locally. We aim to optimize 'an army of targets' in every local image region instead of the previous works that optimize a high-confidence target in the image. Specifically, we split a victim image into non-overlap blocks and jointly mount a targeted attack on each block. Such a strategy mitigates transfer failures caused by attention inconsistency between surrogate and victim models and thus results in stronger transferability. Our approach is method-agnostic, which means it can be easily combined with existing transferable attacks for even higher transferability. Extensive experiments on ImageNet demonstrate that the proposed approach universally improves the state-of-the-art targeted attacks by a clear margin, e.g., the transferability of the widely adopted Logit attack can be improved by 28.8%-300%.We also evaluate the crafted AEs on a real-world platform: Google Cloud Vision. Results further support the superiority of the proposed method.
Paper Structure (21 sections, 4 equations, 6 figures, 7 tables, 1 algorithm)

This paper contains 21 sections, 4 equations, 6 figures, 7 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Transferable Untargeted Attacks
  4. Transferable Targeted Attacks
  5. The Proposed Method
  6. Motivation
  7. Everywhere Attack
  8. Experimental Results
  9. Experimental Settings
  10. Normal surrogates
  11. Robust surrogates
  12. Iterative vs. generative attacks
  13. Data-free Targeted UAP
  14. Fooling Google Cloud Vision
  15. Conclusion
  16. ...and 6 more sections

Figures (6)

  • Figure 1: Illustration of the proposed everywhere attack. We attempt to synthesize an army of Wukongs (target, the monkey) into every local region of Bajie (victim, the pig).
  • Figure 2: Attentional maps of the target label ('marmoset') on different models. The top row depicts the results of the vanilla CE attack, and the bottom that of the proposed CE+everywhere attack. (a, f) Crafted AEs, (b, g) VGG16 (surrogate), (c, h) Inceptionv3 (Inc-v3) sz:16, (d, i) Res50, (e, j) Dense121.
  • Figure 3: Overview of the proposed everywhere attack.
  • Figure 4: Data-free UAPs of different target classes using Logit (top) and Logit+everywhere (bottom). (a, f) 'chickadee', (b, g) 'wolf spider', (c, h) 'peacock', (d, i) 'macaw', (e, j) 'toucan'. The UAPs have been scaled to [0, 1] for better visualization.
  • Figure :
  • ...and 1 more figures