LGV: Boosting Adversarial Example Transferability from Large Geometric Vicinity
This addresses the challenge of creating more effective adversarial attacks for security testing in machine learning, representing a novel approach rather than an incremental improvement.
The paper tackles the problem of improving the transferability of black-box adversarial attacks by proposing LGV, a technique that leverages geometric properties of the weight space, resulting in performance gains of 1.8 to 59.9 percentage points over existing methods.
We propose transferability from Large Geometric Vicinity (LGV), a new technique to increase the transferability of black-box adversarial attacks. LGV starts from a pretrained surrogate model and collects multiple weight sets from a few additional training epochs with a constant and high learning rate. LGV exploits two geometric properties that we relate to transferability. First, models that belong to a wider weight optimum are better surrogates. Second, we identify a subspace able to generate an effective surrogate ensemble among this wider optimum. Through extensive experiments, we show that LGV alone outperforms all (combinations of) four established test-time transformations by 1.8 to 59.9 percentage points. Our findings shed new light on the importance of the geometry of the weight space to explain the transferability of adversarial examples.