Two Heads Are Better Than One: Averaging along Fine-Tuning to Improve Targeted Transferability
This work addresses a domain-specific problem in adversarial machine learning by providing an incremental improvement to targeted attack transferability.
The paper tackles the problem of low transferability in targeted adversarial attacks by proposing a method that averages over the fine-tuning trajectory to improve attack effectiveness, achieving superior results compared to existing schemes in various scenarios.
With much longer optimization time than that of untargeted attacks notwithstanding, the transferability of targeted attacks is still far from satisfactory. Recent studies reveal that fine-tuning an existing adversarial example (AE) in feature space can efficiently boost its targeted transferability. However, existing fine-tuning schemes only utilize the endpoint and ignore the valuable information in the fine-tuning trajectory. Noting that the vanilla fine-tuning trajectory tends to oscillate around the periphery of a flat region of the loss surface, we propose averaging over the fine-tuning trajectory to pull the crafted AE towards a more centered region. We compare the proposed method with existing fine-tuning schemes by integrating them with state-of-the-art targeted attacks in various attacking scenarios. Experimental results uphold the superiority of the proposed method in boosting targeted transferability. The code is available at github.com/zengh5/Avg_FT.