AutoAugment Input Transformation for Highly Transferable Targeted Attacks
This addresses the problem of targeted adversarial attacks for security researchers, offering an incremental improvement by focusing on input transformation rather than gradient optimization.
The paper tackles the low success rates of targeted adversarial attacks by proposing AutoAugment Input Transformation (AAIT), which searches for optimal transformation policies to boost transferability, achieving significant improvements over other methods on CIFAR-10 and ImageNet-Compatible datasets.
Deep Neural Networks (DNNs) are widely acknowledged to be susceptible to adversarial examples, wherein imperceptible perturbations are added to clean examples through diverse input transformation attacks. However, these methods originally designed for non-targeted attacks exhibit low success rates in targeted attacks. Recent targeted adversarial attacks mainly pay attention to gradient optimization, attempting to find the suitable perturbation direction. However, few of them are dedicated to input transformation.In this work, we observe a positive correlation between the logit/probability of the target class and diverse input transformation methods in targeted attacks. To this end, we propose a novel targeted adversarial attack called AutoAugment Input Transformation (AAIT). Instead of relying on hand-made strategies, AAIT searches for the optimal transformation policy from a transformation space comprising various operations. Then, AAIT crafts adversarial examples using the found optimal transformation policy to boost the adversarial transferability in targeted attacks. Extensive experiments conducted on CIFAR-10 and ImageNet-Compatible datasets demonstrate that the proposed AAIT surpasses other transfer-based targeted attacks significantly.