Go to DBLP homepageEnhancing Adversarial Transferability from the Perspective of Input Loss Landscape
Abstract: The transferability of adversarial examples enables the black-box attacks and poses a threat to the application of deep neural networks in real-world, which has attracted great attention in recent years. Regarding the adversarial example generation as the dual optimization process of model training, existing works mainly focus on better optimization algorithm and model augmentation to improve the transferability of adversarial examples. Despite the impressive performance, the explanation on the transferability improvement is still underexplored. In this paper, recalling that weight loss landscape is a widely used indicator to characterize the generalization ability of neural networks, we investigate the effect of input loss landscape on adversarial transferability. Through abundant analysis, we find a clear correlation between the flatness of input loss landscape and adversarial transferability: existing adversarial transferability improvements all implicitly flatten the input loss landscape and the better transferability one method achieves, the flatter input loss landscape it has. Motivated by this, we propose a simple yet effective Adversarial Pixel Perturbation (APP) method to explicitly flatten the input loss landscape during the adversarial example generation process. Extensive experiments demonstrate the effectiveness of the proposed method in improving the adversarial transferability. By incorporating the proposed APP into existing attack methods, we achieve a record of \(97.0\%\) attack success rate on average against six defense models, outperforming the state-of-the-art attack method by a clear margin of \(4.0\%\).
Loading