Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
162 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Adversarial Example Soups: Improving Transferability and Stealthiness for Free (2402.18370v2)

Published 27 Feb 2024 in cs.CV

Abstract: Transferable adversarial examples cause practical security risks since they can mislead a target model without knowing its internal knowledge. A conventional recipe for maximizing transferability is to keep only the optimal adversarial example from all those obtained in the optimization pipeline. In this paper, for the first time, we question this convention and demonstrate that those discarded, sub-optimal adversarial examples can be reused to boost transferability. Specifically, we propose Adversarial Example Soups'' (AES), with AES-tune for averaging discarded adversarial examples in hyperparameter tuning and AES-rand for stability testing. In addition, our AES is inspired bymodel soups'', which averages weights of multiple fine-tuned models for improved accuracy without increasing inference time. Extensive experiments validate the global effectiveness of our AES, boosting 10 state-of-the-art transfer attacks and their combinations by up to 13% against 10 diverse (defensive) target models. We also show the possibility of generalizing AES to other types, e.g., directly averaging multiple in-the-wild adversarial examples that yield comparable success. A promising byproduct of AES is the improved stealthiness of adversarial examples since the perturbation variances are naturally reduced.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (56)
  1. Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy (S&P), pages 39–57, 2017.
  2. Rethinking model ensemble in transfer-based adversarial attacks. ArXiv, abs/2303.09105, 2023.
  3. Certified Adversarial Robustness via Randomized Smoothing. International Conference on Machine Learning, pages 1310–1320, 2019.
  4. Boosting adversarial attacks with momentum. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 9185–9193, 2018.
  5. Evading Defenses to Transferable Adversarial Examples by Translation-invariant Attacks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 4312–4321, 2019.
  6. Fda: Feature disruptive attack. 2019 IEEE/CVF International Conference on Computer Vision (ICCV), pages 8068–8078, 2019.
  7. Loss surfaces, mode connectivity, and fast ensembling of dnns. In Advances in Neural Information Processing Systems, 2018.
  8. Boosting adversarial transferability by achieving flat local maxima. In Advances in Neural Information Processing Systems, 2023.
  9. Explaining and harnessing adversarial examples. In International Conference on Learning Representations (ICLR), 2015.
  10. Countering adversarial images using input transformations. In Proceedings of International Conference on Learning Representations, 2018.
  11. Deep residual learning for image recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 770–778, 2016.
  12. Averaging weights leads to wider optima and better generalization. In Conference on Uncertainty in Artificial Intelligence, 2018.
  13. Adversarial Machine Learning at Scale. In ICLR, 2017.
  14. Adversarial examples in the physical world. In Artificial Intelligence Safety and Security, pages 99–112. 2018.
  15. Styless: Boosting the transferability of adversarial examples. 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 8163–8172, 2023.
  16. Defense against adversarial attacks using high-level representation guided denoiser. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pages 1778–1787, 2018.
  17. Nesterov Accelerated Gradient and Scale Invariance for Adversarial Attacks. In International Conference on Learning Representations (ICLR), 2020.
  18. Delving into transferable adversarial examples and black-box attacks. In International Conference on Learning Representations (ICLR), 2017.
  19. Feature distillation: Dnn-oriented jpeg compression against adversarial examples. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pages 860–868, 2019a.
  20. Feature distillation: Dnn-oriented jpeg compression against adversarial examples. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pages 860–868, 2019b.
  21. Swin transformer: Hierarchical vision transformer using shifted windows. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 10012–10022, 2021.
  22. Frequency Domain Model Augmentation for Adversarial Attack. In European Conference on Computer Vision, pages 549–566, 2022.
  23. Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations (ICLR), 2018.
  24. Model soups: averaging weights of multiple fine-tuned models improves accuracy without increasing inference time. In International Conference on Machine Learning, (ICML), pages 23965–23998, 2022.
  25. A self-supervised approach for adversarial robustness. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 262–271, 2020.
  26. What is being transferred in transfer learning? In Advances in Neural Information Processing Systems, 2020.
  27. Boosting the transferability of adversarial attacks with reverse adversarial perturbation. In Advances in neural information processing systems, 2022.
  28. Faster r-cnn: Towards real-time object detection with region proposal networks. IEEE Transactions on Pattern Analysis and Machine Intelligence, 39:1137–1149, 2015.
  29. Imagenet Large Scale Visual Recognition Challenge. International Journal of Computer Vision, 115:211–252, 2015.
  30. Very deep convolutional networks for large-scale image recognition. In International Conference on Learning Representations (ICLR), 2015.
  31. Intriguing properties of neural networks. In International Conference on Learning Representations (ICLR), 2014.
  32. Rethinking the inception architecture for computer vision. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pages 2818–2826, 2016.
  33. Inception-v4, inception-resnet and the impact of residual connections on learning. In Thirty-first AAAI Conference on Artificial Intelligence, 2017.
  34. Ensemble Adversarial Training: Attacks and Defenses. In ICLR, 2018.
  35. Cosface: Large Margin Cosine Loss for Deep Face Recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2018.
  36. Enhancing the Transferability of Adversarial Attacks through Variance Tuning. In CVPR, pages 1924–1933, 2021.
  37. Admix: Enhancing the Transferability of Adversarial Attacks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 16158–16167, 2021a.
  38. Rethinking the backward propagation for adversarial transferability. In Advances in Neural Information Processing Systems, 2023a.
  39. Structure invariant transformation for better adversarial transferability. ArXiv, abs/2309.14700, 2023b.
  40. Image quality assessment: from error visibility to structural similarity. IEEE Transactions on Image Processing, 13:600–612, 2004.
  41. Feature Importance-aware Transferable Adversarial Attacks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 7639–7648, 2021b.
  42. A discriminative feature learning approach for deep face recognition. In European Conference on Computer Vision, 2016.
  43. Boosting adversarial transferability via fusing logits of top-1 decomposed feature. ArXiv, abs/2305.01361, 2023.
  44. Improving the transferability of adversarial samples with adversarial transformations. 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 9020–9029, 2021.
  45. Mitigating adversarial effects through randomization. In Proceedings of International Conference on Learning Representations, 2018.
  46. Improving transferability of adversarial examples with input diversity. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 2730–2739, 2019.
  47. Stochastic variance reduced ensemble adversarial attack for boosting the adversarial transferability. 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 14963–14972, 2021.
  48. Feature squeezing: Detecting adversarial examples in deep neural networks. In Proceedings of Network and Distributed System Security Symposium, 2018.
  49. Adversarial example generation with adabelief optimizer and crop invariance. Applied Intelligence, 53:2332–2347, 2021.
  50. Adaptive image transformations for transfer-based adversarial attack. In European Conference on Computer Vision, 2022.
  51. Improving adversarial transferability via neuron attribution-based attacks. 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 14973–14982, 2022.
  52. Improving the transferability of adversarial samples by path-augmented method. 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 8173–8182, 2023.
  53. The unreasonable effectiveness of deep features as a perceptual metric. 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 586–595, 2018.
  54. Towards good practices in evaluating transfer adversarial attacks. ArXiv, abs/2211.09565, 2022.
  55. Learning deep features for discriminative localization. 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 2921–2929, 2016.
  56. Rethinking adversarial transferability from a data distribution perspective. In International Conference on Learning Representations (ICLR), 2022.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now