Core Concepts
Averaging multiple batches of adversarial examples under different hyperparameter configurations, known as "adversarial example soups," can significantly improve transferability without additional generation time.
Abstract
In the study on Adversarial Example Soups, the authors propose a method to enhance transferability in adversarial attacks by averaging multiple batches of fine-tuned adversarial examples. This approach, orthogonal to existing methods, shows improved attack success rates without increasing computational costs. The research covers various types of adversarial example soups and their impact on different models and defense mechanisms.
The experiments conducted demonstrate that the proposed Adversarial Example Soup (AES) attacks outperform baseline methods in terms of attack success rates. The AES approach provides flexibility and adaptability, offering new insights for further exploration in the field of adversarial attacks.
The study also includes an ablation study to analyze the impact of parameters, such as the number of sampled images, on transferability. Visualizations of CAM attention maps show how AES attacks counteract invalid perturbations and focus on positive perturbations for improved transferability.
Further analysis explores the potential for other types of adversarial example soups and their application in speech adversarial attacks. Overall, the research highlights the effectiveness and generality of AES attacks in enhancing transferability in adversarial scenarios.
Stats
Compared with traditional methods, the proposed method incurs no additional generation time and computational cost.
Extensive experiments on the ImageNet dataset show that our methods achieve a higher attack success rate than state-of-the-art attacks.
The attack success rates of our AES-DIM gradually rise as the number of sampled images increases from 1 to 20.
The average attack success rate of AES-SSA on ten advanced defense models reached 85.9%.