Boosting Adversarial Transferability Against Defenses via Multi-Scale Transformation
This work addresses security challenges in deep neural networks by boosting adversarial transferability, representing an incremental improvement over existing attack methods.
The paper tackles the problem of improving adversarial example transferability against defense models by proposing a Segmented Gaussian Pyramid (SGP) attack method, which uses multi-scale transformations to enhance attack success rates by 2.3% to 32.6% compared to state-of-the-art methods.
The transferability of adversarial examples poses a significant security challenge for deep neural networks, which can be attacked without knowing anything about them. In this paper, we propose a new Segmented Gaussian Pyramid (SGP) attack method to enhance the transferability, particularly against defense models. Unlike existing methods that generally focus on single-scale images, our approach employs Gaussian filtering and three types of downsampling to construct a series of multi-scale examples. Then, the gradients of the loss function with respect to each scale are computed, and their average is used to determine the adversarial perturbations. The proposed SGP can be considered an input transformation with high extensibility that is easily integrated into most existing adversarial attacks. Extensive experiments demonstrate that in contrast to the state-of-the-art methods, SGP significantly enhances attack success rates against black-box defense models, with average attack success rates increasing by 2.3% to 32.6%, based only on transferability.