Admix: Enhancing the Transferability of Adversarial Attacks

Xiaosen Wang, Xuanran He, Jingdong Wang, Kun He; Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), 2021, pp. 16158-16167

Abstract


Deep neural networks are known to be extremely vulnerable to adversarial examples under white-box setting. Moreover, the malicious adversaries crafted on the surrogate (source) model often exhibit black-box transferability on other models with the same learning task but having different architectures. Recently, various methods are proposed to boost the adversarial transferability, among which the input transformation is one of the most effective approaches. We investigate in this direction and observe that existing transformations are all applied on a single image, which might limit the adversarial transferability. To this end, we propose a new input transformation based attack method called Admix that considers the input image and a set of images randomly sampled from other categories. Instead of directly calculating the gradient on the original input, Admix calculates the gradient on the input image admixed with a small portion of each add-in image while using the original label of the input to craft more transferable adversaries.

Related Material


[pdf] [arXiv]
[bibtex]
@InProceedings{Wang_2021_ICCV, author = {Wang, Xiaosen and He, Xuanran and Wang, Jingdong and He, Kun}, title = {Admix: Enhancing the Transferability of Adversarial Attacks}, booktitle = {Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV)}, month = {October}, year = {2021}, pages = {16158-16167} }