Everywhere Attack: Attacking Locally and Globally to Boost Targeted Transferability
It addresses the problem of targeted adversarial transferability for machine learning security, offering an incremental improvement over existing methods.
The paper tackles the challenge of targeted transferability in adversarial examples by proposing an everywhere scheme that attacks images both globally and locally, splitting them into blocks to optimize multiple targets per region. This method improves state-of-the-art targeted attacks by up to 300% in transferability on ImageNet and shows effectiveness on Google Cloud Vision.
Adversarial examples' (AE) transferability refers to the phenomenon that AEs crafted with one surrogate model can also fool other models. Notwithstanding remarkable progress in untargeted transferability, its targeted counterpart remains challenging. This paper proposes an everywhere scheme to boost targeted transferability. Our idea is to attack a victim image both globally and locally. We aim to optimize 'an army of targets' in every local image region instead of the previous works that optimize a high-confidence target in the image. Specifically, we split a victim image into non-overlap blocks and jointly mount a targeted attack on each block. Such a strategy mitigates transfer failures caused by attention inconsistency between surrogate and victim models and thus results in stronger transferability. Our approach is method-agnostic, which means it can be easily combined with existing transferable attacks for even higher transferability. Extensive experiments on ImageNet demonstrate that the proposed approach universally improves the state-of-the-art targeted attacks by a clear margin, e.g., the transferability of the widely adopted Logit attack can be improved by 28.8%-300%.We also evaluate the crafted AEs on a real-world platform: Google Cloud Vision. Results further support the superiority of the proposed method.