Boosting Adversarial Attacks with Improved Sign Method
Abstract: Deep neural networks (DNNs) can be susceptible to adversarial examples, which involve adding imperceptible perturbations to benign images in order to deceive the models. Although many current adversarial attack methods achieve nearly 100% success rates in white-box attacks, their effectiveness often diminishes when targeting black-box models due to limited transferability. The transfer-based attack technique involves choosing a surrogate model that closely resembles the target model. By exploiting the shared decision boundaries among different models, this method generates highly transferable adversarial examples. Most attack methods change the gradient using the Sign Method (SM) and add small perturbation to the original image. Although SM is simple and effective, it only extracts the sign of the gradient unit, ignoring the size of the gradient value, and resulting in an inaccurate update direction in the iterative process. In our research, we introduce an innovative approach called the Improved Sign Method (ISM). This strategy involves assigning weights to gradients, aiming to mitigate this concern and thereby enhance the efficacy of black-box attacks in terms of transferability. The effectiveness of our proposed Improved Sign Method (ISM) is strongly validated through a series of comprehensive experiments. These results unequivocally demonstrate its capability to significantly enhance the transferability of adversarial examples within black-box attack scenarios. Furthermore, ISM seamlessly integrates with the Fast Gradient Sign Attack Method (FGSM) family, making it applicable across various scenarios. Notably, the computational overhead associated with this integration is practically negligible. Moreover, by incorporating with other advanced attack methods, the performance of black-box attack has been significantly enhanced.
Loading