Improving Adversarial Transferability with Worst-case Aware AttacksDownload PDF

Sunghyun Myung, Dong Hoon Lee, Seunghoon Hong

22 Sept 2022 (modified: 27 Apr 2025)ICLR 2023 Conference Withdrawn SubmissionReaders: Everyone
Abstract: Generating adversarial examples with high transferability is key to practical black-box attack scenarios, where the attacker has limited or no information about target models. While previous works mainly deal with input transformation or optimization process to reduce overfitting on a surrogate model and enhance transferability, we find that well-designed model manipulation can provide complementary gain to existing methods. We propose Worst-case Aware Attack (WAA), a simple effective method that provides access to a virtual ensemble of models to mitigate overfitting on a specific model during the adversarial example generation process. Specifically, WAA formulates max-min optimization to seek adversarial examples that are robust against the worst-case models, which are created by adding per-example weight perturbation to the source model towards the direction of weakening the adversarial sample in question. Unlike other model manipulation methods, WAA does not require multiple surrogate models or architecture-specific knowledge. Experimental results on ImageNet demonstrate that WAA can be incorporated with a variety of existing methods to consistently improve transferability over different settings, including naturally trained models, adversarially trained models, and adversarial defenses.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors’ identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics
Submission Guidelines: Yes
Please Choose The Closest Area That Your Submission Falls Into: Applications (eg, speech processing, computer vision, NLP)
Community Implementations: [![CatalyzeX](/images/catalyzex_icon.svg) 1 code implementation](https://www.catalyzex.com/paper/improving-adversarial-transferability-with/code)
5 Replies