Frequency Domain Model Augmentation for Adversarial Attack
This work addresses the challenge of improving adversarial example transferability for black-box attacks, which is crucial for evaluating and enhancing the robustness of machine learning models, though it is incremental as it builds on existing model augmentation methods.
The paper tackles the problem of weak attack performance in black-box adversarial attacks due to the gap between substitute and victim models by proposing a novel spectrum simulation attack that performs model augmentation in the frequency domain, achieving an average success rate of 95.4% against nine state-of-the-art defense models on ImageNet.
For black-box attacks, the gap between the substitute model and the victim model is usually large, which manifests as a weak attack performance. Motivated by the observation that the transferability of adversarial examples can be improved by attacking diverse models simultaneously, model augmentation methods which simulate different models by using transformed images are proposed. However, existing transformations for spatial domain do not translate to significantly diverse augmented models. To tackle this issue, we propose a novel spectrum simulation attack to craft more transferable adversarial examples against both normally trained and defense models. Specifically, we apply a spectrum transformation to the input and thus perform the model augmentation in the frequency domain. We theoretically prove that the transformation derived from frequency domain leads to a diverse spectrum saliency map, an indicator we proposed to reflect the diversity of substitute models. Notably, our method can be generally combined with existing attacks. Extensive experiments on the ImageNet dataset demonstrate the effectiveness of our method, \textit{e.g.}, attacking nine state-of-the-art defense models with an average success rate of \textbf{95.4\%}. Our code is available in \url{https://github.com/yuyang-long/SSA}.