Boosting the Transferability of Adversarial Attacks with Global Momentum Initialization

Deep neural networks are vulnerable to adversarial examples, which attach human invisible perturbations to benign inputs. Simultaneously, adversarial examples exhibit transferability under different models, which makes practical black-box attacks feasible. However, existing methods are still incapable of achieving desired transfer attack performance. In this work, from the perspective of gradient optimization and consistency, we analyze and discover the gradient elimination phenomenon as well as the local momentum optimum dilemma. To tackle these issues, we propose Global Momentum Initialization (GI) to suppress gradient elimination and help search for the global optimum. Specifically, we perform gradient pre-convergence before the attack and carry out a global search during the pre-convergence stage. Our method can be easily combined with almost all existing transfer methods, and we improve the success rate of transfer attacks significantly by an average of 6.4% under various advanced defense mechanisms compared to state-of-the-art methods. Eventually, we achieve an attack success rate of 95.4%, fully illustrating the insecurity of existing defense mechanisms. Code is available at $\href{https://github.com/Omenzychen/Global-Momentum-Initialization}{this\ URL}$.

[1]  Zhenpeng Li,et al.  AIDE: A Vision-Driven Multi-View, Multi-Modal, Multi-Tasking Dataset for Assistive Driving Perception , 2023, 2023 IEEE/CVF International Conference on Computer Vision (ICCV).

[2]  Bo Li,et al.  Query-Efficient Decision-Based Black-Box Patch Attack , 2023, IEEE Transactions on Information Forensics and Security.

[3]  Bo Li,et al.  Content-based Unrestricted Adversarial Attack , 2023, NeurIPS.

[4]  Bo Li,et al.  Efficient Decision-based Black-box Patch Attacks on Video Recognition , 2023, ArXiv.

[5]  Zhiyan Dong,et al.  Context De-Confounded Emotion Recognition , 2023, 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[6]  Yang Liu,et al.  Adversarial Contrastive Distillation with Adaptive Denoising , 2023, ICASSP 2023 - 2023 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[7]  Xiaoming Zhao,et al.  Target and source modality co-reinforcement for emotion understanding from asynchronous multimodal sequences , 2023, Knowl. Based Syst..

[8]  Wenqiang Zhang,et al.  LVOS: A Benchmark for Long-term Video Object Segmentation , 2022, 2023 IEEE/CVF International Conference on Computer Vision (ICCV).

[9]  Yongtao Wang,et al.  T-SEA: Transfer-Based Self-Ensemble Attack on Object Detection , 2022, 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[10]  Wei Zhang,et al.  Adaptive Online Mutual Learning Bi-Decoders for Video Object Segmentation , 2022, IEEE Transactions on Image Processing.

[11]  Dingkang Yang,et al.  Disentangled Representation Learning for Multimodal Emotion Recognition , 2022, ACM Multimedia.

[12]  Dingkang Yang,et al.  Learning Modality-Specific and -Agnostic Representations for Asynchronous Multimodal Language Sequences , 2022, ACM Multimedia.

[13]  Bo Li,et al.  Federated Learning with Label Distribution Skew via Logits Calibration , 2022, ICML.

[14]  Y. Liu,et al.  Learning Appearance-Motion Normality for Video Anomaly Detection , 2022, 2022 IEEE International Conference on Multimedia and Expo (ICME).

[15]  Y. Liu,et al.  Abnormal Event Detection with Self-guiding Multi-instance Ranking Framework , 2022, 2022 International Joint Conference on Neural Networks (IJCNN).

[16]  Bo Li,et al.  Towards Efficient Data Free Blackbox Adversarial Attack , 2022, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[17]  Y. Liu,et al.  Learning Task-Specific Representation for Video Anomaly Detection with Spatial-Temporal Attention , 2022, ICASSP 2022 - 2022 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[18]  Fangyun Wei,et al.  Unsupervised Prompt Learning for Vision-Language Models , 2022, ArXiv.

[19]  Bo Li,et al.  Towards Practical Certifiable Patch Defense with Vision Transformer , 2022, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[20]  Wenqiang Zhang,et al.  Efficient Universal Shuffle Attack for Visual Object Tracking , 2022, ICASSP 2022 - 2022 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[21]  J. Zhang,et al.  Adversarial Examples for Good: Adversarial Examples Guided Imbalanced Learning , 2022, 2022 IEEE International Conference on Image Processing (ICIP).

[22]  Wei Zhang,et al.  Adaptive Selection of Reference Frames for Video Object Segmentation , 2021, IEEE Transactions on Image Processing.

[23]  Weisi Lin,et al.  CMUA-Watermark: A Cross-Model Universal Adversarial Watermark for Combating Deepfakes , 2021, AAAI.

[24]  Xiaosen Wang,et al.  Enhancing the Transferability of Adversarial Attacks through Variance Tuning , 2021, 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[25]  Kai-Kuang Ma,et al.  Rpattack: Refined Patch Attack on General Object Detectors , 2021, 2021 IEEE International Conference on Multimedia and Expo (ICME).

[26]  Jingdong Wang,et al.  Admix: Enhancing the Transferability of Adversarial Attacks , 2021, 2021 IEEE/CVF International Conference on Computer Vision (ICCV).

[27]  Heng Tao Shen,et al.  Patch-wise Attack for Fooling Deep Neural Network , 2020, ECCV.

[28]  Fahad Shahbaz Khan,et al.  A Self-supervised Approach for Adversarial Robustness , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[29]  Jingkuan Song,et al.  Learnable Aggregating Net with Diversity Learning for Video Question Answering , 2019, ACM Multimedia.

[30]  J. Hopcroft,et al.  Nesterov Accelerated Gradient and Scale Invariance for Improving Transferability of Adversarial Examples , 2019, ArXiv.

[31]  Jun Zhu,et al.  Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks , 2019, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[32]  J. Zico Kolter,et al.  Certified Adversarial Robustness via Randomized Smoothing , 2019, ICML.

[33]  Xiaochun Cao,et al.  ComDefend: An Efficient Image Compression Model to Defend Adversarial Examples , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[34]  Alan L. Yuille,et al.  Improving Transferability of Adversarial Examples With Input Diversity , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[35]  Tao Liu,et al.  Feature Distillation: DNN-Oriented JPEG Compression Against Adversarial Examples , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[36]  Xing Ji,et al.  CosFace: Large Margin Cosine Loss for Deep Face Recognition , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[37]  Xiaolin Hu,et al.  Defense Against Adversarial Attacks Using High-Level Representation Guided Denoiser , 2017, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[38]  Alan L. Yuille,et al.  Mitigating adversarial effects through randomization , 2017, ICLR.

[39]  Xiaolin Hu,et al.  Discovering Adversarial Examples with Momentum , 2017, ArXiv.

[40]  Dan Boneh,et al.  Ensemble Adversarial Training: Attacks and Defenses , 2017, ICLR.

[41]  Yanjun Qi,et al.  Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks , 2017, NDSS.

[42]  Dawn Xiaodong Song,et al.  Delving into Transferable Adversarial Examples and Black-box Attacks , 2016, ICLR.

[43]  David A. Wagner,et al.  Towards Evaluating the Robustness of Neural Networks , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[44]  Samy Bengio,et al.  Adversarial examples in the physical world , 2016, ICLR.

[45]  Xin Zhang,et al.  End to End Learning for Self-Driving Cars , 2016, ArXiv.

[46]  Jian Sun,et al.  Identity Mappings in Deep Residual Networks , 2016, ECCV.

[47]  Sergey Ioffe,et al.  Inception-v4, Inception-ResNet and the Impact of Residual Connections on Learning , 2016, AAAI.

[48]  Ananthram Swami,et al.  Practical Black-Box Attacks against Machine Learning , 2016, AsiaCCS.

[49]  Ananthram Swami,et al.  Practical Black-Box Attacks against Deep Learning Systems using Adversarial Examples , 2016, ArXiv.

[50]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[51]  Sergey Ioffe,et al.  Rethinking the Inception Architecture for Computer Vision , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[52]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[53]  Michael S. Bernstein,et al.  ImageNet Large Scale Visual Recognition Challenge , 2014, International Journal of Computer Vision.

[54]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[55]  Bo Li,et al.  Shape Matters: Deformable Patch Attack , 2022, ECCV.

[56]  Yang Liu,et al.  Emotion Recognition for Multiple Context Awareness , 2022, ECCV.

[57]  Moustapha Cissé,et al.  Countering Adversarial Images using Input Transformations , 2018, ICLR.

[58]  Y. Nesterov A method for unconstrained convex minimization problem with the rate of convergence o(1/k^2) , 1983 .