TY - GEN
T1 - Enhancing the Transferability of Adversarial Examples with Random Patch
AU - Zhang, Yaoyuan
AU - Tan, Yu An
AU - Chen, Tian
AU - Liu, Xinrui
AU - Zhang, Quanxin
AU - Li, Yuanzhang
N1 - Publisher Copyright:
© 2022 International Joint Conferences on Artificial Intelligence. All rights reserved.
PY - 2022
Y1 - 2022
N2 - Adversarial examples can fool deep learning models, and their transferability is critical for attacking black-box models in real-world scenarios. Existing state-of-the-art transferable adversarial attacks tend to exploit intrinsic features of objects to generate adversarial examples. This paper proposes the Random Patch Attack (RPA) to significantly improve the transferability of adversarial examples by the patch-wise random transformation that effectively highlights important intrinsic features of objects. Specifically, we introduce random patch transformations to original images to variate model-specific features. Important object-related features are preserved after aggregating the transformed images since they stay consistent in multiple transformations while model-specific elements are neutralized. The obtained essential features steer noises to perturb the object-related regions, generating the adversarial examples of superior transferability across different models. Extensive experimental results demonstrate the effectiveness of the proposed RPA. Compared to the state-of-the-art transferable attacks, our attacks improve the black-box attack success rate by 2.9% against normally trained models, 4.7% against defense models, and 4.6% against vision transformers on average, reaching a maximum of 99.1%, 93.2%, and 87.8%, respectively.
AB - Adversarial examples can fool deep learning models, and their transferability is critical for attacking black-box models in real-world scenarios. Existing state-of-the-art transferable adversarial attacks tend to exploit intrinsic features of objects to generate adversarial examples. This paper proposes the Random Patch Attack (RPA) to significantly improve the transferability of adversarial examples by the patch-wise random transformation that effectively highlights important intrinsic features of objects. Specifically, we introduce random patch transformations to original images to variate model-specific features. Important object-related features are preserved after aggregating the transformed images since they stay consistent in multiple transformations while model-specific elements are neutralized. The obtained essential features steer noises to perturb the object-related regions, generating the adversarial examples of superior transferability across different models. Extensive experimental results demonstrate the effectiveness of the proposed RPA. Compared to the state-of-the-art transferable attacks, our attacks improve the black-box attack success rate by 2.9% against normally trained models, 4.7% against defense models, and 4.6% against vision transformers on average, reaching a maximum of 99.1%, 93.2%, and 87.8%, respectively.
UR - http://www.scopus.com/inward/record.url?scp=85137912529&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85137912529
T3 - IJCAI International Joint Conference on Artificial Intelligence
SP - 1672
EP - 1678
BT - Proceedings of the 31st International Joint Conference on Artificial Intelligence, IJCAI 2022
A2 - De Raedt, Luc
A2 - De Raedt, Luc
PB - International Joint Conferences on Artificial Intelligence
T2 - 31st International Joint Conference on Artificial Intelligence, IJCAI 2022
Y2 - 23 July 2022 through 29 July 2022
ER -