Enhancing the Transferability of Adversarial Attacks with Stealth Preservation

Xinwei Zhang, Tianyuan Zhang, Yitong Zhang, Shuangcheng Liu; Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) Workshops, 2024, pp. 2915-2925

Deep neural networks are susceptible to attacks from adversarial examples in recent years. Especially the black-box attacks cause a more serious threat to practical applications. However while most existing black-box attacks have achieved a high success rate in deceiving models they have not focused on the stealthiness of adversarial examples often exhibiting suspicious visual appearances. To address this issue this paper proposes the Mask Momentum Iterative Attack (MMIA) which introduces a masking mechanism and adopts an optimal perturbation strategy to identify regions of an image most vulnerable to attacks. This approach effectively ensures the transferability and stealthiness of adversarial examples. Simultaneously by integrating image enhancement techniques and temporal and spatial momentum terms into the iterative process of the attack we prevent the attack from getting stuck in local optima further improving the transferability of adversarial examples. To enhance the success rate of black-box attacks we apply MMIA to a model ensemble using a joint optimization strategy. We demonstrate that adversarially trained models with a strong defense ability are also susceptible to our black-box attacks. We conduct extensive experiments on classification tasks using common vision models and our results significantly demonstrate the superiority of our method over state-of-the-art approaches when considering both transferability and stealthiness.