Skip Connections Matter: On the Transferability of Adversarial Examples Generated with ResNets (2002.05990v1)

Abstract: Skip connections are an essential component of current state-of-the-art deep neural networks (DNNs) such as ResNet, WideResNet, DenseNet, and ResNeXt. Despite their huge success in building deeper and more powerful DNNs, we identify a surprising security weakness of skip connections in this paper. Use of skip connections allows easier generation of highly transferable adversarial examples. Specifically, in ResNet-like (with skip connections) neural networks, gradients can backpropagate through either skip connections or residual modules. We find that using more gradients from the skip connections rather than the residual modules according to a decay factor, allows one to craft adversarial examples with high transferability. Our method is termed Skip Gradient Method(SGM). We conduct comprehensive transfer attacks against state-of-the-art DNNs including ResNets, DenseNets, Inceptions, Inception-ResNet, Squeeze-and-Excitation Network (SENet) and robustly trained DNNs. We show that employing SGM on the gradient flow can greatly improve the transferability of crafted attacks in almost all cases. Furthermore, SGM can be easily combined with existing black-box attack techniques, and obtain high improvements over state-of-the-art transferability methods. Our findings not only motivate new research into the architectural vulnerability of DNNs, but also open up further challenges for the design of secure DNN architectures.

• The paper demonstrates that using the Skip Gradient Method significantly boosts adversarial attack transferability by strategically modifying gradient decay through skip connections.
• The methodology leverages ResNet architectural nuances, outperforming traditional methods like FGSM and PGD in black-box scenarios across models such as VGG, DenseNet, and Inception.
• The findings underscore the urgent need to redesign defense strategies in deep networks to mitigate vulnerabilities introduced by skip connections.

Analysis of Skip Connections' Security Vulnerabilities in ResNet-like Neural Networks

The paper "Rethinking the Security of Skip Connections in ResNet-like Neural Networks" by Dongxian Wu et al. provides a thorough investigation into the security vulnerabilities inherent in the architecture of residual neural networks. This family of deep neural networks (DNNs), notable for their use of skip connections, is recognized for state-of-the-art performance in various deep learning tasks. This research unveils a specific weakness within the architecture, demonstrating how skip connections can be exploited to produce highly transferable adversarial attacks.

Residual networks (ResNets) employ skip connections to enhance model performance, facilitating the flow of information across layers by bypassing one or more layers, hence preserving low-level features through identity mapping. This architectural choice significantly contributes to the success of deep learning models by mitigating the vanishing gradient problem and promoting gradient flow, leading to more robust performance on complex tasks.

The authors have meticulously unraveled how these skip connections, while instrumental for performance enhancement, inadvertently introduce vulnerabilities. Specifically, the team showed that by modifying the attack strategy, focusing on adversarial gradients passing through skip connections, the transferability of these attacks significantly improves. Transferability refers to the ability of adverse examples generated on one model to also successfully attack other models.

The proposed methodology, termed the Skip Gradient Method (SGM), leverages the architectural nuances of ResNets. By strategically applying a decay parameter to the gradients flowing through residual blocks while leaving gradients through the skip connection unaltered, adversarial transferability is enhanced. This simple yet effective technique can be integrated with existing gradient-based attack methods, yielding superior results in black-box attack scenarios, notably improving the success rates of attacks transferred between different model architectures such as VGG, DenseNet, and Inception models.

In their experiments, the researchers assert that adversarial attacks generated using SGM exhibit significantly higher transferability, even outperforming state-of-the-art adversarial attack methods. Key findings include that SGM breaks several widely-held beliefs, contradicting the notion that attacks crafted on shallower networks demonstrate better transferability. Additionally, SGM enhances strong attacks such as Projected Gradient Descent (PGD), making them more transferable across varying architectures compared to traditionally weaker attacks like FGSM or iterative FGSM.

The implications of this research extend both practically and theoretically. Practically, the findings underscore the necessity for redesigning defense mechanisms against adversarial attacks, taking into account these architectural vulnerabilities. Theoretically, the research opens up new avenues for exploring the interrelationship between network architecture and adversarial susceptibility, suggesting that future investigation may reveal further intricate dynamics at play.

Looking forward, this research suggests that more secure network architectures will need to be developed, potentially incorporating mechanisms that mitigate the newfound vulnerabilities associated with skip connections. In conclusion, while ResNet-like networks remain significant in promoting the performance of deep learning models, understanding and safeguarding against their vulnerabilities is crucial for their deployment in security-critical domains.