Appropriate Balance of Diversification and Intensification Improves Performance and Efficiency of Adversarial Attacks

Published: 27 May 2024, Last Modified: 27 May 2024Accepted by TMLREveryoneRevisionsBibTeX
Abstract: Recently, adversarial attacks that generate adversarial examples by optimizing a multimodal function with many local optimums have attracted considerable research attention. Quick convergence to a nearby local optimum (intensification) and fast enumeration of multiple different local optima (diversification) are important to construct strong attacks. Most existing white-box attacks that use the model’s gradient enumerate multiple local optima based on multi-restart; however, our experiments suggest that the ability of diversification based on multi-restart is limited. To tackle this problem, we propose the multi-directions/objectives (MDO) strategy, which uses multiple search directions and objective functions for diversification. Efficient Diversified Attack, a combination of MDO and multi-target strategies, showed further diversification performance, resulting in better performance than recently proposed attacks against around 88% of 41 CNN-based robust models and 100% of 10 more advanced models, including transformer-based architecture. These results suggest a relationship between attack performances and a balance of diversification and intensification, which is beneficial to constructing more potent attacks.
Submission Length: Long submission (more than 12 pages of main content)
Changes Since Last Submission: ~~Changes are highlighted in blue.~~ Final version. #### Section 1 - Add "under the standard setting of perturbation bound in RobustBench leaderboard" to limit the scope of the claim (p. 2, response to comment 2) #### Section 3.2 - Add explanations of why the objective function and search direction are chosen with DI-based indicators (p. 7, response to comment 1) #### Section 3.3 - Add explanations of why ensemble is used in the diversification phase and composite in the intensification phase (p. 8, response to comment 1) #### Section 3.4 (p. 9-10, response to comment 1) - Specify that the algorithm used for targeted attacks was determined based on experimental results. - Clarify that the order in which the MDO framework and targeted attacks are executed is not very important. #### Section 4.1 - Add "under the standard setting of perturbation bound in RobustBench leaderboard" (p.12, response to comment 1) - Discussed the relationship between perturbation bound (epsilon size) and required computation time for attack convergence, based on the results of experiments under larger epsilon with extended EDA's runtime (p. 14, in response to comment 2) - Add explanations about the role and impact of multi-targeted attacks in EDA from the viewpoint of diversification (p. 14, in response to comment 1) #### Section 4.3 - Investigate the impact of constraints on the number of objective functions to choose from on attack performance and computation time (p.16, response to comment 1) #### Section 4.4 - Investigate the effect of limiting the attack target images in the intensification phase (p. 17, response to comment 1) #### Section 4.5 - Move Limitations and assumptions from the Appendix to the main text (p. 18, in response to comment 2)
Supplementary Material: zip
Assigned Action Editor: ~Xi_Lin2
Submission Number: 2181