Improving Adversarial Transferability with Heuristic Random Transformation

Abstract

Deep neural network is very vulnerable to adversarial examples, which add subtle perturbations on the original image that are difficult for human to perceive, but can make network produce wrong classification results. The current advanced adversarial attack methods can achieve satisfactory results under the white-box setting, but when attacking the black-box model, especially for the defense models, they show poor transferability. It can mainly improve the transferability of adversarial attacks under black-box settings from two perspectives of gradient optimization and image transformation. We propose a new image transformation method, which is different from treating each pixel equally in previous works. We consider using the size of gradient value to reflect the importance of pixels, assigning different scaling factors to each gradient unit, and conducting heuristic random transformation on the images input in each iteration to achieve data enhancement, obtain more stable update direction and escape from local optimal values. Extensive experiments on ImageNet Dataset show that the proposed method has better performance than the existing methods. In addition, our method can also be combined with other attack methods to further improve the transferability of adversarial attacks. Besides, our approach also has excellent performance on the defense models.