Enhancing the Self-Universality for Transferable Targeted Attacks
This work addresses the challenge of improving targeted attack transferability in adversarial machine learning, which is incremental as it builds on existing methods by focusing on self-universality without extra data.
The paper tackles the problem of transfer-based targeted attacks in adversarial machine learning by proposing a method that optimizes adversarial perturbations to be agnostic to different regions within an image, achieving a 12% improvement in success rates on the ImageNet-compatible dataset compared to existing state-of-the-art methods.
In this paper, we propose a novel transfer-based targeted attack method that optimizes the adversarial perturbations without any extra training efforts for auxiliary networks on training data. Our new attack method is proposed based on the observation that highly universal adversarial perturbations tend to be more transferable for targeted attacks. Therefore, we propose to make the perturbation to be agnostic to different local regions within one image, which we called as self-universality. Instead of optimizing the perturbations on different images, optimizing on different regions to achieve self-universality can get rid of using extra data. Specifically, we introduce a feature similarity loss that encourages the learned perturbations to be universal by maximizing the feature similarity between adversarial perturbed global images and randomly cropped local regions. With the feature similarity loss, our method makes the features from adversarial perturbations to be more dominant than that of benign images, hence improving targeted transferability. We name the proposed attack method as Self-Universality (SU) attack. Extensive experiments demonstrate that SU can achieve high success rates for transfer-based targeted attacks. On ImageNet-compatible dataset, SU yields an improvement of 12\% compared with existing state-of-the-art methods. Code is available at https://github.com/zhipeng-wei/Self-Universality.