Improving Integrated Gradient-based Transferable Adversarial Examples by Refining the Integration Path
This work addresses the problem of generating more effective transferable adversarial examples for black-box attacks in machine learning security, representing an incremental improvement over existing methods.
The paper tackled the limited transferability of integrated gradient-based adversarial attacks by refining the integration path through multiplicity, monotonicity, and diversity, resulting in up to 37.3% improvement over the latest IG-based attack and 8.4% over other state-of-the-art attacks.
Transferable adversarial examples are known to cause threats in practical, black-box attack scenarios. A notable approach to improving transferability is using integrated gradients (IG), originally developed for model interpretability. In this paper, we find that existing IG-based attacks have limited transferability due to their naive adoption of IG in model interpretability. To address this limitation, we focus on the IG integration path and refine it in three aspects: multiplicity, monotonicity, and diversity, supported by theoretical analyses. We propose the Multiple Monotonic Diversified Integrated Gradients (MuMoDIG) attack, which can generate highly transferable adversarial examples on different CNN and ViT models and defenses. Experiments validate that MuMoDIG outperforms the latest IG-based attack by up to 37.3\% and other state-of-the-art attacks by 8.4\%. In general, our study reveals that migrating established techniques to improve transferability may require non-trivial efforts. Code is available at \url{https://github.com/RYC-98/MuMoDIG}.