Boosting Adversarial Attack Transferability via Random Block Shuffle

Abstract

An interesting property of deep convolutional neural networks is their weakness to adversarial examples, which can deceive the models with subtle perturbations. Though adversarial attack algorithms have accomplished excellent performance in the white-box scenario, they frequently display a low attack success rate in the black-box scenario. Various transformation-based attack methods are shown to be powerful to enhance the transferability of adversarial examples. In this work, several novel transformation-based attack methods that integrate with the Random Block Shuffle (RBS) and Ensemble Random Block Shuffle (ERBS) mechanisms are come up with to boost adversarial transferability. First of all, the RBS calculates the gradient of the shuffled input instead of the original input. It increases the diversity of adversarial perturbation’s gradient and makes the original input’s information more invisible for the model. Based on the RBS, the ERBS is proposed to decrease gradient variance and stabilize the update direction further, which integrates the gradient of transformed inputs. Moreover, by incorporating various gradient-based attack methods with transformation-based methods, the adversarial transferability could be additionally improved fundamentally and relieve the overfitting problem. Our best attack method arrives an average success rate of 85.5% on two normally trained models and two adversarially trained models, which outperforms existing baselines.