Efficient Diversified Attack: Multiple Diversification Strategies Lead to the Efficient Adversarial Attacks

Keiichiro Yamamura; Issa Oe; Nozomi Hata; Hiroki Ishikura; Katsuki Fujisawa

Efficient Diversified Attack: Multiple Diversification Strategies Lead to the Efficient Adversarial Attacks

Keiichiro Yamamura, Issa Oe, Nozomi Hata, Hiroki Ishikura, Katsuki Fujisawa

19 Sept 2023 (modified: 11 Feb 2024)Submitted to ICLR 2024EveryoneRevisionsBibTeX

Primary Area: optimization

Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.

Keywords: Adversarial attack, Robustness, Optimization

Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.

TL;DR: We present the multi-directions/objectives strategy and Efficient Diversified Attack, which enhance adversarial attack diversification and efficacy against DL models, notably outperforming the Adaptive Auto Attack on ImageNet-trained models.

Abstract: Deep learning models are vulnerable to adversarial examples (AEs). Recently, adversarial attacks that generate AEs by optimizing a multimodal function with many local optimums have attracted considerable research attention. Quick convergence to a nearby local optimum (intensification) and fast enumeration of multiple different local optima (diversification) are important to construct strong attacks. Most existing white-box attacks that use the model's gradient enumerate multiple local optima based on multi-restart; however, our experiments suggest that the ability to diversify based on multi-restart is limited. Therefore, we propose the multi-directions/objectives (MDO) strategy, which uses multiple search directions and objective functions for diversification. The MDO strategy showed higher diversification performance and promising attack performance. Efficient Diversified Attack (EDA), a combination of MDO and multi-target strategies, showed further diversification performance, resulting in state-of-the-art attack performance against more than 90% of 41 robust models compared to Adaptive Auto Attack (A$^3$). EDA particularly outperformed A$^3$ in attack performance and runtime for models trained on ImageNet, where the MDO strategy showed higher diversification performance. These results suggest a relationship between attack and diversification performances, which is beneficial to constructing more potent attacks.

Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.

Supplementary Material: zip

No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.

Submission Number: 1746

Loading