Towards Evaluating Transfer-based Attacks Systematically, Practically, and Fairly
This work addresses the need for systematic and fair evaluation of adversarial attack methods for researchers and practitioners in AI security, though it is incremental as it focuses on benchmarking rather than introducing new attacks.
The paper tackles the lack of standardized benchmarks for evaluating transfer-based adversarial attacks on deep neural networks, establishing TA-Bench to comprehensively compare 30+ methods across 25 models on ImageNet, revealing new insights and providing evaluation guidelines.
The adversarial vulnerability of deep neural networks (DNNs) has drawn great attention due to the security risk of applying these models in real-world applications. Based on transferability of adversarial examples, an increasing number of transfer-based methods have been developed to fool black-box DNN models whose architecture and parameters are inaccessible. Although tremendous effort has been exerted, there still lacks a standardized benchmark that could be taken advantage of to compare these methods systematically, fairly, and practically. Our investigation shows that the evaluation of some methods needs to be more reasonable and more thorough to verify their effectiveness, to avoid, for example, unfair comparison and insufficient consideration of possible substitute/victim models. Therefore, we establish a transfer-based attack benchmark (TA-Bench) which implements 30+ methods. In this paper, we evaluate and compare them comprehensively on 25 popular substitute/victim models on ImageNet. New insights about the effectiveness of these methods are gained and guidelines for future evaluations are provided. Code at: https://github.com/qizhangli/TA-Bench.