Paper Info
Title
Enhancing Adversarial Attack Transferability With Multi-Scale Feature Attack
Abstract
Deep neural networks are vulnerable to adversarial examples, which can fool models by adding carefully designed perturbations. An intriguing phenomenon is that adversarial examples often exhibit transferability, thus making black-box attacks effective in real-world applications. However, the adversarial examples generated by existing methods typically overfit the structure and feature representation of the source model, resulting in a low success rate in a black-box manner. To address this issue, we propose the multi-scale feature attack to boost attack transferability, which adjusts the internal feature space representation of the adversarial image to get far to the internal representation of the original image. We show that we can select a low-level layer and a high-level layer of the source model to conduct the perturbations, and the crafted adversarial examples are confused with original images, not just in the class but also in the feature space representations. To further improve the transferability of adversarial examples, we apply reverse cross-entropy loss to reduce the overfitting further and show that it is effective for attacking adversarially trained models with strong defensive ability. Extensive experiments show that the proposed methods consistently outperform the iterative fast gradient sign method (IFGSM) and momentum iterative fast gradient sign method (MIFGSM) under the challenging black-box setting.
Year
DOI
Venue
2021
10.1142/S0219691320500769
INTERNATIONAL JOURNAL OF WAVELETS MULTIRESOLUTION AND INFORMATION PROCESSING
Keywords
DocType
Volume
Deep neural networks, adversarial examples, black-box attacks, multi-scale feature attack
Journal
19
Issue
ISSN
Citations 
2
0219-6913
0
PageRank 
References 
Authors
0.34
0
5
Name
Order
Citations
PageRank
Caixia Sun100.34
Lian Zou212.38
Cien Fan313.06
Yu Shi400.34
Yifeng Liu503.72