StyLess: Boosting the Transferability of Adversarial Examples
This addresses a security threat in real-world applications by enhancing the ability of adversarial examples to attack black-box deep neural networks, though it is an incremental improvement over existing transferable attacks.
The authors tackled the problem of limited transferability in adversarial attacks by proposing StyLess, a method that uses stylized networks to prevent reliance on non-robust style features, resulting in significantly improved attack transferability that outperforms state-of-the-art methods.
Adversarial attacks can mislead deep neural networks (DNNs) by adding imperceptible perturbations to benign examples. The attack transferability enables adversarial examples to attack black-box DNNs with unknown architectures or parameters, which poses threats to many real-world applications. We find that existing transferable attacks do not distinguish between style and content features during optimization, limiting their attack transferability. To improve attack transferability, we propose a novel attack method called style-less perturbation (StyLess). Specifically, instead of using a vanilla network as the surrogate model, we advocate using stylized networks, which encode different style features by perturbing an adaptive instance normalization. Our method can prevent adversarial examples from using non-robust style features and help generate transferable perturbations. Comprehensive experiments show that our method can significantly improve the transferability of adversarial examples. Furthermore, our approach is generic and can outperform state-of-the-art transferable attacks when combined with other attack techniques.