ILA-DA: Improving Transferability of Intermediate Level Attack with Data Augmentation

Chiu Wai Yan; Tsz-Him Cheung; Dit-Yan Yeung

ILA-DA: Improving Transferability of Intermediate Level Attack with Data Augmentation

Chiu Wai Yan, Tsz-Him Cheung, Dit-Yan Yeung

Published: 01 Feb 2023, Last Modified: 20 Feb 2023ICLR 2023 posterReaders: Everyone

Keywords: adversarial examples, adversarial transferability, data augmentation

TL;DR: We proposed ILA-DA, a method that employs 3 novel augmentation techniques to improve the transferability of adversarial attacks.

Abstract: Adversarial attack aims to generate deceptive inputs to fool a machine learning model. In deep learning, an adversarial input created for a specific neural network can also trick other neural networks. This intriguing property is known as black-box transferability of adversarial examples. To improve black-box transferability, a previously proposed method called Intermediate Level Attack (ILA) fine-tunes an adversarial example by maximizing its perturbation on an intermediate layer of the source model. Meanwhile, it has been shown that simple image transformations can also enhance attack transferability. Based on these two observations, we propose ILA-DA, which employs three novel augmentation techniques to enhance ILA. Specifically, we propose (1) an automated way to apply effective image transformations, (2) an efficient reverse adversarial update technique, and (3) an attack interpolation method to create more transferable adversarial examples. Shown by extensive experiments, ILA-DA greatly outperforms ILA and other state-of-the-art attacks by a large margin. On ImageNet, we attain an average attack success rate of 84.5%, which is 19.5% better than ILA and 4.7% better than the previous state-of-the-art across nine undefended models. For defended models, ILA-DA also leads existing attacks and provides further gains when incorporated into more advanced attack methods.

Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors’ identity.

No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.

Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics

Submission Guidelines: Yes

Please Choose The Closest Area That Your Submission Falls Into: Deep Learning and representational learning

Supplementary Material: zip

16 Replies

Loading