Abstract
Transferable targeted adversarial attack against deep image classifiers has remained an open issue. Depending on the space to optimize the loss, the existing methods can be divided into two categories: (a) feature space attack and (b) output space attack. The feature space attack outperforms output space one by a large margin but at the cost of requiring the training of layer-wise auxiliary classifiers for each corresponding target class together with the greedy search for the optimal layers. In this work, we revisit the method of output space attack and improve it from two perspectives. First, we identify over-fitting as one major factor that hinders transferability, for which we propose to augment the network input and/or feature layers with noise. Second, we propose a new cross-entropy loss with two ends: one for pushing the sample far from the source class, i.e. ground-truth class, and the other for pulling it close to the target class. We demonstrate that simple techniques are sufficient enough for achieving very competitive performance.
| Original language | English |
|---|---|
| Title of host publication | MM 2023 - Proceedings of the 31st ACM International Conference on Multimedia |
| Publisher | Association for Computing Machinery, Inc |
| Pages | 8486-8494 |
| Number of pages | 9 |
| ISBN (Electronic) | 9798400701085 |
| DOIs | |
| Publication status | Published - 26 Oct 2023 |
| Event | 31st ACM International Conference on Multimedia, MM 2023 - Ottawa, Canada Duration: 29 Oct 2023 → 3 Nov 2023 |
Publication series
| Name | MM 2023 - Proceedings of the 31st ACM International Conference on Multimedia |
|---|
Conference
| Conference | 31st ACM International Conference on Multimedia, MM 2023 |
|---|---|
| Country/Territory | Canada |
| City | Ottawa |
| Period | 29/10/23 → 3/11/23 |
Bibliographical note
Publisher Copyright:© 2023 ACM.
Keywords
- adversarial transferability
- transferable attacks, targeted attacks