An established way to improve the transferability of black-box evasion attacks is to craft the adversarial examples on a surrogate ensemble model to increase diversity. We argue that transferability is fundamentally related to epistemic uncertainty. Based on a state-of-the-art Bayesian Deep Learning technique, we propose a new method to efficiently build a surrogate by sampling approximately from the posterior distribution of neural network weights, which represents the belief about the value of each parameter. Our extensive experiments on ImageNet and CIFAR-10 show that our approach improves the transfer rates of four state-of-the-art attacks significantly (up to 62.1 percentage points), in both intra-architecture and inter-architecture cases. On ImageNet, our approach can reach 94% of transfer rate while reducing training computations from 11.6 to 2.4 exaflops, compared to an ensemble of independently trained DNNs. Our vanilla surrogate achieves 87.5% of the time higher transferability than 3 test-time techniques designed for this purpose. Our work demonstrates that the way to train a surrogate has been overlooked although it is an important element of transfer-based attacks. We are, therefore, the first to review the effectiveness of several training methods in increasing transferability. We provide new directions to better understand the transferability phenomenon and offer a simple but strong baseline for future work.
翻译:改进黑箱规避攻击的可转移性的一个既定方法是,在替代混合模型上设计对抗性范例,以增加多样性。我们争辩说,可转移性从根本上说与缩写不确定性有关。根据先进的巴伊西亚深层学习技术,我们提出了一种新的方法,通过从神经网络重量的后表分布中进行抽样抽样,有效建立一个替代物,这代表了对每个参数价值的信念。我们在图像网和CIFAR-10上的广泛实验表明,我们的方法大大改善了四起最新袭击的转移率(最高达62.1个百分点),这四起尖端袭击的转移率(最高达62.1个百分点),在结构内部和结构间案例中都是如此。在图像网上,我们的方法可以达到94%的转移率,同时将培训的计算从11.6到2.4远方网络重量,与经过独立训练的DNNS的组合相比,将降低培训的计算率。我们的Villa 替代装置实现了87.5 %的时间转移率,但超过了为此目的设计的3个测试时间技术。我们的工作表明,在结构内和结构间案例之间的转移率越来越明显,因此,我们培训一个更能理解攻击的转移的方法是一个重要的方法。