Enhancing Targeted Attack Transferability via Diversified Weight Pruning

Hung-Jui Wang, Yu-Yu Wu, Shang-Tse Chen; Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) Workshops, 2024, pp. 2904-2914

Malicious attackers generate adversarial instances by introducing imperceptible perturbations into data. Even in the black-box setting where model details are concealed attackers can still exploit networks with cross-model transferability. Despite the notable success of untargeted attacks achieving targeted attack transferability remains a challenging endeavor. Recent investigations have demonstrated the efficacy of ensemble-based techniques. However utilizing additional models to carry out ensemble attacks brings extra costs. To reduce the number of white-box models required model augmentation methods augment the given network to produce a variant of diverse models contributing useful gradients for attack. In this work we propose Diversified Weight Pruning (DWP) as an innovative model augmentation technique specifically designed to facilitate the generation of transferable targeted attacks. In contrast to prior techniques DWP can preserve essential connections while simultaneously ensuring diversity among the pruned models both of which are identified as pivotal factors for targeted transferability. The effectiveness of DWP is empirically validated through experiments on ImageNet under challenging conditions. The results underscore the improvements brought about by DWP in the targeted attack success rates with enhancements of up to 10.1% 6.6% and 7.0% observed in combination with state-of-the-art methods respectively across adversarially trained models Non-CNN architectures and Google Cloud Vision.