Go to DBLP homepageEnhancing the Transferability of Adversarial Examples with Noise Injection Augmentation
Abstract: Transfer-based adversarial attacks highlight a critical security concern in the vulnerability of deep neural networks (DNNs). By generating deceptive inputs on a surrogate model, these attacks efficiently transfer the malicious examples to target models, even those with different architectures. However, current transfer-based adversarial attacks face a significant challenge. Existing strategies, including gradient optimization, input transformation, and model ensemble methods, struggle to strike an effective balance between computational cost and transferability. To alleviate this issue, we introduce a novel method, dubbed Noise Injection Augmentation (NIA). NIA enhances the transferability of the generated adversarial examples by introducing randomness into the surrogate models. The key idea of NIA is to explore the regularization properties of noise injection. Furthermore, we achieve stronger transferability by combining NIA with the idea of model self-ensemble. Extensive experiments show that NIA significantly enhances the attack performance of various potent adversarial attacks such as MI-FGSM, MDTI-FGSM, and S2I-FGSM by 28%, 20.4%, and 18.6%. On average, combined with the state-of-the-art transfer-based attack, NIA further improves transferability to 93.8% on normally trained models and 72% on robust models.
Loading