Improving Transferability of Adversarial Examples via Bayesian Attacks
This work addresses a security threat in AI applications by enhancing adversarial transferability, representing a strong specific gain in the field.
The paper tackles the problem of improving the transferability of adversarial examples to attack unknown deep neural networks, achieving a new state-of-the-art in transfer-based attacks with significant improvements in average success rates on ImageNet and CIFAR-10.
The transferability of adversarial examples allows for the attack on unknown deep neural networks (DNNs), posing a serious threat to many applications and attracting great attention. In this paper, we improve the transferability of adversarial examples by incorporating the Bayesian formulation into both the model parameters and model input, enabling their joint diversification. We demonstrate that combination of Bayesian formulations for both the model input and model parameters yields significant improvements in transferability. By introducing advanced approximations of the posterior distribution over the model input, adversarial transferability achieves further enhancement, surpassing all state-of-the-arts when attacking without model fine-tuning. Additionally, we propose a principled approach to fine-tune model parameters within this Bayesian framework. Extensive experiments demonstrate that our method achieves a new state-of-the-art in transfer-based attacks, significantly improving the average success rate on ImageNet and CIFAR-10. Code at: https://github.com/qizhangli/MoreBayesian-jrnl.