Existing transfer-based attacks primarily focus on maximizing the empirical risk while ignoring the expected risk, which often leads to suboptimal transferability. To address this issue, we propose a transferability-gap-aware attack framework. First, we formulate the objective of transfer-based attacks as an expected risk and introduce the notion of the transferability gap, which quantifies the absolute discrepancy between the empirical risk and the expected risk. Our analysis reveals that when the transferability gap is small, maximizing the empirical risk becomes approximately equivalent to maximizing the expected risk, thereby leading to highly transferable adversarial examples. Based on this insight, the proposed method min-max the transferability gap while maximizing the empirical risk. Such min-max problem allows the attack algorithm with the strongest transferability to be found in the case of the hardest transferability. Experimental results show that the proposed method outperforms the recent state-of-the-art transfer-based attacks and achieves fast generation of highly transferable adversarial examples.
[1] Szegedy C, Zaremba W, Sutskever I, et al. Intriguing properties of neural networks [DB/OL]. (2013-12-21) [2023-08-31]. https://arxiv.org/abs/1312.6199.
[2] Goodfellow I J, Shlens J, Szegedy C. Explaining and harnessing adversarial examples [DB/OL]. (2014-12-20) [2023-08-31]. https://arxiv.org/abs/1412.6572.
[3] Guo Y, Li Q, Chen H. Backpropagating linearly improves transferability of adversarial examples [C]//Advances in Neural Information Processing Systems, 2020, 33: 85-95.
[4] Papernot N, Mcdaniel P, Goodfellow I, et al. Practical black-box attacks against machine learning [C]//ACM on Asia Conference on Computer and Communications Security, 2017: 506- 519.
[5] Zhu Y, Sun J, Li Z. Rethinking adversarial transferability from a data distribution perspective [EB/OL]. (2022-01-29) [2023-08-31]. https://openreview.net/forum?id=gVRhIEajG1k.
[6] Zhu Y, Chen Y, Li X, et al. Toward understanding and boosting adversarial transferability from a distribution perspective [J]. IEEE Transactions on Image Processing, 2022, 31: 6487-6501.
[7] Liu Y P, Chen X Y, Liu C, et al. Delving into transferable adversarial examples and black-box attacks [EB/OL]. (2017-02-06) [2023-08-31]. https://openreview.net/forum?id=Sys6GJqxl.
[8] Tramèr F, Papernot N, Goodfellow I, et al. The space of transferable adversarial examples [DB/OL]. (2017-04-11) [2023-08-31]. https://arxiv.org/abs/1704.03453.
[9] Liu F, Zhang C, Zhang H. Towards transferable unrestricted adversarial examples with minimum changes [C]//IEEE Conference on Secure and Trustworthy Machine Learning, 2023: 327- 338.
[10] Dong Y, Liao F, Pang T, et al. Boosting adversarial attacks with momentum [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2018: 9185-9193.
[11] Kurakin A, Goodfellow I, Bengio S. Adversarial examples in the physical world [J]. Artificial Intelligence Safety and Security, 2018: 99-112.
[12] Polyak B T. Some methods of speeding up the convergence of iteration methods [J]. USSR Computational Mathematics and Mathematical Physics, 1964, 4(5): 1-17.
[13] Nesterov Y. A method for unconstrained convex minimization problem with the rate of convergence O (1/k2) [J]. Academy of Sciences of the USSR, 1983, 269(3): 543.
[14] Lin J, Song C, He K, et al. Nesterov accelerated gradient and scale invariance for adversarial attacks [EB/OL]. (2019-12-20) [2023-08-31]. https://openreview.net/forum?id=SJlHwkBYDH.
[15] Xie C, Zhang Z, Zhou Y, et al. Improving transferability of adversarial examples with input diversity [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019: 2730- 2739.
[16] Wang X, He K. Enhancing the transferability of adversarial attacks through variance tuning [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021: 1924-1933.
[17] Wang Z, Guo H, Zhang Z, et al. Feature importance-aware transferable adversarial attacks [C]//IEEE/CVF International Conference on Computer Vision, 2021: 7639-7648.
[18] Salzmann M. Learning transferable adversarial perturbations [C]//2021 Advances in Neural Information Processing Systems, 2021, 34: 13950-13962.
[19] Madry A, Makelov A, Schmidt L, et al. Towards deep learning models resistant to adversarial attacks [DB/OL]. (2017-06-19) [2023-08-31]. https://arxiv.org/abs/1706.06083.
[20] Girshick R. Fast R-CNN [C]//IEEE International Conference on Computer Vision, 2015: 1440- 1448.
[21] Goodfellow I, Pouget A J, Mirza M, et al. Generative adversarial nets [C]//2014 Advances in Neural Information Processing Systems, 2014, 27: 2672-2680.
[22] Von N J, Morgenstern O. Theory of games and economic behavior [M]//Princeton, NJ, The US: Princeton University Press, 1947.
[23] Griffin G, Holub A, Perona P. Caltech-256 object category dataset [EB/OL] (2007-03-10) [2023-08-31]. https://authors.library.caltech.edu/records/5sv1j-ytw97.
[24] Szegedy C, Vanhoucke V, Ioffe S, et al. Rethinking the inception architecture for computer vision [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2016: 2818-2826.
[25] Szegedy C, Ioffe S, Vanhoucke V, et al. Inception-v4, Inception-ResNet and the impact of residual connections on learning [C]//AAAI Conference on Artificial Intelligence, 2017, 31(1): 4278-4284.
[26] He K, Zhang X, Ren S, et al. Deep residual learning for image recognition [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2016: 770-778.
[27] Simonyan K, Zisserman A. Very deep convolutional networks for large-scale image recognition [DB/OL]. (2014-09-04) [2023-08-31]. https://arxiv.org/abs/1409.1556.
[28] Liao F, Liang M, Dong Y, et al. Defense against adversarial attacks using high-level representation guided denoiser [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2018: 1778-1787.
[29] Xie C, Wang J, Zhang Z, et al. Mitigating adversarial effects through randomization [EB/OL]. (2018-02-16) [2023-08-31]. https://openreview.net/forum?id=Sk9yuql0Z.
[30] Liu Z, Liu Q, Liu T, et al. Feature distillation: DNN-oriented JPEG compression against adversarial examples [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019: 860-868.
[31] Johnson J, Alahi A, Fei-Fei L. Perceptual losses for real-time style transfer and superresolution [C]//14th European Conference on Computer Vision, 2016: 694-711.
[32] Zhang J, Wu W, Huang J, et al. Improving adversarial transferability via neuron attributionbased attacks [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022: 14993-15002.
[33] Li Y, Bai S, Zhou Y, et al. Learning transferable adversarial examples via ghost networks [C]//AAAI Conference on Artificial Intelligence, 2020, 34(07): 11458-11465.
[34] Poursaeed O, Katsman I, Gao B, et al. Generative adversarial perturbations [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2018: 4422-4431.
[35] Naseer M M, Khan S H, Khan M H, et al. Cross-domain transferability of adversarial perturbations [C]//2019 Advances in Neural Information Processing Systems, 2019, 32.
[36] Zhang Q, Li X, Chen Y, et al. Beyond ImageNet attack: towards crafting adversarial examples for black-box domains [DB/OL]. (2022-01-27) [2023-08-31]. https://arxiv.org/abs/2201.11528.
