Enhancing Cross-task Black-Box Transferability of Adversarial Examples with Dispersion Reduction
This addresses a real-world cybersecurity challenge for attackers needing to evade diverse defense mechanisms, representing an incremental advance in cross-task transferability.
The paper tackled the problem of adversarial example transferability across different computer vision tasks, proposing an attack that minimizes internal feature map dispersion to degrade performance on multiple tasks with modest perturbations (linf=16).
Neural networks are known to be vulnerable to carefully crafted adversarial examples, and these malicious samples often transfer, i.e., they remain adversarial even against other models. Although great efforts have been delved into the transferability across models, surprisingly, less attention has been paid to the cross-task transferability, which represents the real-world cybercriminal's situation, where an ensemble of different defense/detection mechanisms need to be evaded all at once. In this paper, we investigate the transferability of adversarial examples across a wide range of real-world computer vision tasks, including image classification, object detection, semantic segmentation, explicit content detection, and text detection. Our proposed attack minimizes the ``dispersion'' of the internal feature map, which overcomes existing attacks' limitation of requiring task-specific loss functions and/or probing a target model. We conduct evaluation on open source detection and segmentation models as well as four different computer vision tasks provided by Google Cloud Vision (GCV) APIs, to show how our approach outperforms existing attacks by degrading performance of multiple CV tasks by a large margin with only modest perturbations linf=16.