GNP Attack: Transferable Adversarial Examples via Gradient Norm Penalty (2307.04099v1)
Abstract: Adversarial examples (AE) with good transferability enable practical black-box attacks on diverse target models, where insider knowledge about the target models is not required. Previous methods often generate AE with no or very limited transferability; that is, they easily overfit to the particular architecture and feature representation of the source, white-box model and the generated AE barely work for target, black-box models. In this paper, we propose a novel approach to enhance AE transferability using Gradient Norm Penalty (GNP). It drives the loss function optimization procedure to converge to a flat region of local optima in the loss landscape. By attacking 11 state-of-the-art (SOTA) deep learning models and 6 advanced defense methods, we empirically show that GNP is very effective in generating AE with high transferability. We also demonstrate that it is very flexible in that it can be easily integrated with other gradient based methods for stronger transfer-based attacks.
- “Boosting adversarial attacks with momentum,” in Proceedings of the IEEE conference on computer vision and pattern recognition, 2018, pp. 9185–9193.
- “Boosting the transferability of adversarial samples via attention,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020, pp. 1161–1170.
- “Improving transferability of adversarial examples with input diversity,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019, pp. 2730–2739.
- “Delving into transferable adversarial examples and black-box attacks,” International Conference on Learning Representations, 2017.
- “Sharpness-aware minimization for efficiently improving generalization,” in International Conference on Learning Representations, 2021.
- “Explaining and harnessing adversarial examples,” International Conference on Learning Representations, 2015.
- “Imagenet large scale visual recognition challenge,” International journal of computer vision, vol. 115, no. 3, pp. 211–252, 2015.
- “Deep residual learning for image recognition,” in CVPR, 2016.
- “Very deep convolutional networks for large-scale image recognition,” in ICLR, 2015.
- “Rethinking the inception architecture for computer vision,” in CVPR, 2016.
- “Densely connected convolutional networks,” in Proceedings of the IEEE conference on computer vision and pattern recognition, 2017, pp. 4700–4708.
- “Mobilenetv2: Inverted residuals and linear bottlenecks,” in CVPR, 2018.
- “Squeeze-and-excitation networks,” in CVPR, 2018.
- “Aggregated residual transformations for deep neural networks,” in CVPR, 2017.
- “Wide residual networks,” in BMVC, 2016.
- “Progressive neural architecture search,” in ECCV, 2018.
- “Mnasnet: Platform-aware neural architecture search for mobile,” in CVPR, 2019.
- “Yet another intermediate-leve attack,” in ECCV, 2020.
- “Evading defenses to transferable adversarial examples by translation-invariant attacks,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019, pp. 4312–4321.
- “Countering adversarial images using input transformations,” International Conference on Learning Representations, 2018.
- “Mitigating adversarial effects through randomization,” International Conference on Learning Representations, 2018.
- “A self-supervised approach for adversarial robustness,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020, pp. 262–271.
- “Ensemble adversarial training: Attacks and defenses,” International Conference on Learning Representations, 2018.