Improving adversarial transferability with worst-case aware attacks

Abstract

Generating adversarial examples with high transferability is key to practical black-box attack scenarios, where the attacker has limited or no information about the target models. While previous works mainly deal with input transformation or optimization process to reduce overfitting on a surrogate model and enhance adversarial transferability, we find that well-designed model manipulation can provide complementary gain to existing methods. We propose Worst-case Aware Attack (WAA), a simple effective method that provides access to a virtual ensemble of models to mitigate overfitting on a specific model during the adversarial example generation process. Specifically, WAA formulates bi-level optimizations to seek adversarial examples that are robust against the worst-case models, which are created by adding per-example weight perturbation to the source model towards the direction of weakening the adversarial sample in question. Unlike other model manipulation methods, WAA does not require multiple surrogate models or architecture-specific knowledge. Experimental results on ImageNet demonstrate that WAA can be incorporated with a variety of existing methods to consistently improve transferability in different settings, including naturally trained models, adversarially trained models, and adversarial defenses.