Compared to query-based black-box attacks, transfer-based black-box attacks do not require any information of the attacked models, which ensures their secrecy. However, most existing transfer-based approaches rely on ensembling multiple models to boost the attack transferability, which is time- and resource-intensive, not to mention the difficulty of obtaining diverse models on the same task. To address this limitation, in this work, we focus on the single-model transfer-based black-box attack on object detection, utilizing only one model to achieve a high-transferability adversarial attack on multiple black-box detectors. Specifically, we first make observations on the patch optimization process of the existing method and propose an enhanced attack framework by slightly adjusting its training strategies. Then, we analogize patch optimization with regular model optimization, proposing a series of self-ensemble approaches on the input data, the attacked model, and the adversarial patch to efficiently make use of the limited information and prevent the patch from overfitting. The experimental results show that the proposed framework can be applied with multiple classical base attack methods (e.g., PGD and MIM) to greatly improve the black-box transferability of the well-optimized patch on multiple mainstream detectors, meanwhile boosting white-box performance. Our code is available at https://github.com/VDIGPKU/T-SEA.
翻译:与基于询问的黑箱袭击相比,基于转移的黑箱袭击并不要求任何关于被攻击模式的信息,这种模式可以确保保密。然而,大多数基于转让的现有方法都依赖于组合多种模式,以促进攻击性转移,而攻击性转移是时间和资源密集型的,更不用说在同一任务上获得多种模式的难度。为了解决这一限制,我们在这项工作中侧重于单一模式的基于转移的黑箱袭击,只使用一种模式来实现对多个黑箱探测器的高可转移性对立攻击。具体地说,我们首先对现有方法的补丁优化进程发表意见,并通过稍微调整其培训战略提出强化攻击性框架。然后,我们将补齐优化与常规模式优化进行模拟,就输入数据、被攻击模式和对抗性格网状组合提出一系列自构式方法,以便有效利用有限信息并防止对目标探测的补补补。实验结果表明,拟议的框架可以使用多种古典基础袭击方法(e.g., PGD和 MIM)应用多种古典基础袭击方法来大大改进我们现有的黑箱/MEM)的升级化标准性。