【paper_reading_20191027】Improving Transferability of Adversarial Examples with Input Diversity

[1] Xie C, Zhang Z, Zhou Y, et al. Improving transferability of adversarial examples with input diversity[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2019: 2730-2739.

 

Abstract :

problem: most of the existing adversarial attack only ahcieve low success rate under the challenging black-box setting.

method: propose to improve the transferability of adversarial examples by creating diverse input patterns.

applies random transformations to the input images at each iteration.

Experiment:  On ImageNet, generate adversarial examples transfer much better

Evaluation: against top defense solution and official baselines from NIPS2017 adversarial competition. reaches an average success rate of 73.0，outperforms the top-1 attack submission in the NIPS competition by a large margin of 6.6%.

1.Introduction:

Recent success of Convolution Neural Networks(CNNs) lead to a dramatic performance improvement on Computer Vision(CV), But CNNs are extremely vulnerable to small perturbation to the input images. human-imperceptible additive pertubation can result in failure prediction of CNNs.

Two types attacks(according to the number of steps of gradient computation):

• single-step attacks: perform better in black-box setting.
• iterative attacks: perform  better in white-box setting

reason: iterative attacks tends to overfit the specific network parameter and thus making generated adversarial examples rarely transfer to other netword, single-step attcaks usually underfit to the network parameters thus producing adversarial examples with slightly better transferabiliby.

goals:  generate adversarial examples with high success rates under both white-box and black-box settings.

work: creating diverse input patterns to improve the transferability of adversarial examples.