Improving Adversarial Transferability with Neighbourhood Gradient Information

• Main Authors: Guo, Haijing, Wang, Jiafeng, Chen, Zhaoyu, Jiang, Kaixun, Hong, Lingyi, Guo, Pinxue, Li, Jinglun, Zhang, Wenqiang
• Format: Journal Article
• Language: English
• Published: 11.08.2024
• Subjects: Computer Science - Computer Vision and Pattern Recognition; Computer Science - Cryptography and Security
• DOI: 10.48550/arxiv.2408.05745

Deep neural networks (DNNs) are known to be susceptible to adversarial examples, leading to significant performance degradation. In black-box attack scenarios, a considerable attack performance gap between the surrogate model and the target model persists. This work focuses on enhancing the transferability of adversarial examples to narrow this performance gap. We observe that the gradient information around the clean image, i.e. Neighbourhood Gradient Information, can offer high transferability. Leveraging this, we propose the NGI-Attack, which incorporates Example Backtracking and Multiplex Mask strategies, to use this gradient information and enhance transferability fully. Specifically, we first adopt Example Backtracking to accumulate Neighbourhood Gradient Information as the initial momentum term. Multiplex Mask, which forms a multi-way attack strategy, aims to force the network to focus on non-discriminative regions, which can obtain richer gradient information during only a few iterations. Extensive experiments demonstrate that our approach significantly enhances adversarial transferability. Especially, when attacking numerous defense models, we achieve an average attack success rate of 95.8%. Notably, our method can plugin with any off-the-shelf algorithm to improve their attack performance without additional time cost.