Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
157 tokens/sec
GPT-4o
43 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Reliable Evaluation of Adversarial Transferability (2306.08565v1)

Published 14 Jun 2023 in cs.CV

Abstract: Adversarial examples (AEs) with small adversarial perturbations can mislead deep neural networks (DNNs) into wrong predictions. The AEs created on one DNN can also fool another DNN. Over the last few years, the transferability of AEs has garnered significant attention as it is a crucial property for facilitating black-box attacks. Many approaches have been proposed to improve adversarial transferability. However, they are mainly verified across different convolutional neural network (CNN) architectures, which is not a reliable evaluation since all CNNs share some similar architectural biases. In this work, we re-evaluate 12 representative transferability-enhancing attack methods where we test on 18 popular models from 4 types of neural networks. Our reevaluation revealed that the adversarial transferability is often overestimated, and there is no single AE that can be transferred to all popular models. The transferability rank of previous attacking methods changes when under our comprehensive evaluation. Based on our analysis, we propose a reliable benchmark including three evaluation protocols. Adversarial transferability on our new benchmark is extremely low, which further confirms the overestimation of adversarial transferability. We release our benchmark at https://adv-trans-eval.github.io to facilitate future research, which includes code, model checkpoints, and evaluation protocols.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (81)
  1. Intriguing properties of neural networks. Computer Science, 2013.
  2. Explaining and harnessing adversarial examples. In ICML, 2015.
  3. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556, 2014.
  4. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 770–778, 2016.
  5. Going deeper with convolutions. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 1–9, 2015.
  6. Densely connected convolutional networks. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 4700–4708, 2017.
  7. Evading defenses to transferable adversarial examples by translation-invariant attacks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 4312–4321, 2019.
  8. Improving transferability of adversarial examples with input diversity. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 2730–2739, 2019.
  9. Improving the transferability of adversarial examples with resized-diverse-inputs, diversity-ensemble and region fitting. In Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part XXII, pages 563–579. Springer, 2020.
  10. Improving the transferability of adversarial samples with adversarial transformations. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 9024–9033, 2021.
  11. Skip connections matter: On the transferability of adversarial examples generated with resnets. In ICLR, 2020.
  12. Backpropagating linearly improves transferability of adversarial examples. Advances in neural information processing systems, 33:85–95, 2020.
  13. Enhancing adversarial example transferability with an intermediate level attack. In Proceedings of the IEEE/CVF international conference on computer vision, pages 4733–4742, 2019.
  14. A unified approach to interpreting and boosting adversarial transferability. In International Conference on Learning Representations, 2021.
  15. Generating transferable 3d adversarial point cloud via random perturbation factorization. In AAAI Conference on Artificial Intelligence (AAAI), 2023.
  16. On improving adversarial transferability of vision transformers. arXiv preprint arXiv:2106.04169, 2021.
  17. On the robustness of vision transformers to adversarial examples. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 7838–7847, 2021.
  18. Towards transferable adversarial attacks on vision transformers. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 36, pages 2668–2676, 2022.
  19. An image is worth 16x16 words: Transformers for image recognition at scale. arXiv preprint arXiv:2010.11929, 2020.
  20. Gradient-based learning applied to document recognition. Proceedings of the IEEE, 86(11):2278–2324, 1998.
  21. Deep learning in spiking neural networks. Neural networks, 111:47–63, 2019.
  22. Dynamic neural networks: A survey. IEEE Transactions on Pattern Analysis and Machine Intelligence, 44(11):7436–7456, 2021.
  23. Deep dynamic neural networks for multimodal gesture segmentation and recognition. IEEE transactions on pattern analysis and machine intelligence, 38(8):1583–1597, 2016.
  24. Glance and focus: a dynamic approach to reducing spatial redundancy in image classification. Advances in Neural Information Processing Systems, 33:2432–2444, 2020.
  25. Learning transferable adversarial examples via ghost networks. Proceedings of the AAAI Conference on Artificial Intelligence, 34(07):11458–11465, 2020. AAAI 2022/10/30.
  26. Perturbing across the feature hierarchy to improve standard and strict blackbox attack transferability. Advances in Neural Information Processing Systems, 33:20791–20801, 2020.
  27. Improving adversarial transferability via neuron attribution-based attacks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 14993–15002, 2022.
  28. Boosting adversarial attacks with momentum. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 9185–9193, 2018.
  29. Nesterov accelerated gradient and scale invariance for adversarial attacks. In International Conference on Learning Representations, 2020.
  30. Enhancing the transferability of adversarial attacks through variance tuning. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 1924–1933, 2021.
  31. Securing the spike: On the transferabilty and security of spiking neural networks to adversarial examples. arXiv preprint arXiv:2209.03358, 2022.
  32. Towards efficient adversarial training on vision transformers. In Computer Vision–ECCV 2022: 17th European Conference, Tel Aviv, Israel, October 23–27, 2022, Proceedings, Part XIII, pages 307–325. Springer, 2022.
  33. Are vision transformers robust to patch perturbations? In Computer Vision–ECCV 2022: 17th European Conference, Tel Aviv, Israel, October 23–27, 2022, Proceedings, Part XII, pages 404–421. Springer, 2022.
  34. An impartial take to the cnn vs transformer robustness contest. In Computer Vision–ECCV 2022: 17th European Conference, Tel Aviv, Israel, October 23–27, 2022, Proceedings, Part XIII, pages 466–480. Springer, 2022.
  35. Adversarial robustness comparison of vision transformer and mlp-mixer to cnns. arXiv preprint arXiv:2110.02797, 2021.
  36. Improving the robustness of capsule networks to image affine transformations. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 7285–7293, 2020.
  37. Capsule network is not more robust than convolutional network. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 14309–14317, 2021.
  38. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.
  39. Improving the transferability of targeted adversarial examples through object-based diverse input. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 15244–15253, June 2022.
  40. Admix: Enhancing the transferability of adversarial attacks. In Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), pages 16158–16167, October 2021.
  41. Regional homogeneity: Towards learning transferable universal adversarial perturbations against defenses. In Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part XI 16, pages 795–813. Springer, 2020.
  42. Transferable adversarial attack based on integrated gradients. arXiv preprint arXiv:2205.13152, 2022.
  43. Axiomatic attribution for deep networks. In International conference on machine learning, pages 3319–3328. PMLR, 2017.
  44. Generative adversarial networks. Communications of the ACM, 63(11):139–144, 2020.
  45. Mathieu Salzmann et al. Learning transferable adversarial perturbations. Advances in Neural Information Processing Systems, 34:13950–13962, 2021.
  46. Lots about attacking deep features. In 2017 IEEE International Joint Conference on Biometrics (IJCB), pages 168–176. IEEE, 2017.
  47. Transferable perturbations of deep feature distributions. arXiv preprint arXiv:2004.12519, 2020.
  48. Closer look at the transferability of adversarial examples: How they fool different models differently. In Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision, pages 1360–1368, 2023.
  49. Batch normalization increases adversarial vulnerability and decreases adversarial transferability: A non-robust feature perspective. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 7818–7827, 2021.
  50. Delving into transferable adversarial examples and black-box attacks. In Proceedings of 5th International Conference on Learning Representations, 2017.
  51. Lgv: Boosting adversarial example transferability from large geometric vicinity. In Computer Vision–ECCV 2022: 17th European Conference, Tel Aviv, Israel, October 23–27, 2022, Proceedings, Part IV, pages 603–618. Springer, 2022.
  52. Making substitute models more bayesian can enhance transferability of adversarial examples. arXiv preprint arXiv:2302.05086, 2023.
  53. Rethinking adversarial transferability from a data distribution perspective. In International Conference on Learning Representations, 2021.
  54. Transferable adversarial perturbations. In Proceedings of the European Conference on Computer Vision (ECCV), pages 452–467, 2018.
  55. Feature space perturbations yield more transferable adversarial examples. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 7066–7074, 2019.
  56. Task-generalizable adversarial attack based on perceptual metric. arXiv preprint arXiv:1811.09020, 2018.
  57. Fda: Feature disruptive attack. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 8069–8079, 2019.
  58. Feature importance-aware transferable adversarial attacks. In Proceedings of the IEEE/CVF international conference on computer vision, pages 7639–7648, 2021.
  59. Learning to learn transferable attack. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 36, pages 571–579, 2022.
  60. On success and simplicity: A second look at transferable targeted attacks. Advances in Neural Information Processing Systems, 34:6115–6128, 2021.
  61. Investigating top-k white-box and transferable black-box attack. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 15085–15094, 2022.
  62. Improving transferability of adversarial patches on face recognition with generative models. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 11845–11854, 2021.
  63. Towards transferable targeted attack. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 641–649, 2020.
  64. Adversarially robust models may not transfer better: Sufficient conditions for domain transferability from the view of regularization. In International Conference on Machine Learning, pages 24770–24802. PMLR, 2022.
  65. Making adversarial examples more transferable and indistinguishable. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 36, pages 3662–3670, 2022.
  66. Stochastic variance reduced ensemble adversarial attack for boosting the adversarial transferability. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 14983–14992, 2022.
  67. Boosting the transferability of adversarial attacks with reverse adversarial perturbation. arXiv preprint arXiv:2210.05968, 2022.
  68. Training data-efficient image transformers & distillation through attention. In International conference on machine learning, pages 10347–10357. PMLR, 2021.
  69. Swin transformer: Hierarchical vision transformer using shifted windows. In Proceedings of the IEEE/CVF international conference on computer vision, pages 10012–10022, 2021.
  70. Unsupervised learning of digit recognition using spike-timing-dependent plasticity. Frontiers in computational neuroscience, 9:99, 2015.
  71. Supervised learning in spiking neural networks: A review of algorithms and evaluations. Neural Networks, 125:258–280, 2020.
  72. A supervised learning algorithm for learning precise timing of multiple spikes in multilayer spiking neural networks. IEEE transactions on neural networks and learning systems, 29(11):5394–5407, 2018.
  73. An online supervised learning method for spiking neural networks with adaptive structure. Neurocomputing, 144:526–536, 2014.
  74. Conversion of continuous-valued deep networks to efficient event-driven networks for image classification. Frontiers in neuroscience, 11:682, 2017.
  75. Converting artificial neural networks to spiking neural networks via parameter calibration. arXiv preprint arXiv:2205.10121, 2022.
  76. A free lunch from ann: Towards efficient, accurate spiking neural networks calibration. In International Conference on Machine Learning, pages 6316–6325. PMLR, 2021.
  77. Imagenet: A large-scale hierarchical image database. In 2009 IEEE conference on computer vision and pattern recognition, pages 248–255. Ieee, 2009.
  78. On improving adversarial transferability of vision transformers. In International Conference on Learning Representations, 2022.
  79. Towards transferable adversarial attacks on vision transformers. Proceedings of the AAAI Conference on Artificial Intelligence, 36(3):2668–2676, Jun. 2022.
  80. Effective and efficient vote attack on capsule networks. In International Conference on Learning Representations, 2021.
  81. Towards robust prompts on vision-language models. arXiv preprint arXiv:2304.08479, 2023.
Citations (8)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now