For black-box attacks, the gap between the substitute model and the victim model is usually large, which manifests as a weak attack performance. Motivated by the observation that the transferability of adversarial examples can be improved by attacking diverse models simultaneously, model augmentation methods which simulate different models by using transformed images are proposed. However, existing transformations for spatial domain do not translate to significantly diverse augmented models. To tackle this issue, we propose a novel spectrum simulation attack to craft more transferable adversarial examples against both normally trained and defense models. Specifically, we apply a spectrum transformation to the input and thus perform the model augmentation in the frequency domain. We theoretically prove that the transformation derived from frequency domain leads to a diverse spectrum saliency map, an indicator we proposed to reflect the diversity of substitute models. Notably, our method can be generally combined with existing attacks. Extensive experiments on the ImageNet dataset demonstrate the effectiveness of our method, \textit{e.g.}, attacking nine state-of-the-art defense models with an average success rate of \textbf{95.4\%}. Our code is available in \url{https://github.com/yuyang-long/SSA}.
翻译:对于黑箱攻击,替代模型与受害者模型之间的差距通常很大,这表现为攻击性性能薄弱。受以下观察的驱使,即通过同时攻击不同的模型可以改善对抗性实例的可转移性,并提出了使用变形图像模拟不同模型的模型增强方法。然而,现有的空间域变换并不转化成极为多样化的扩大型模型。为了解决这一问题,我们提议进行新的频谱模拟攻击,以便针对通常受过训练的和防御的模型,编造更可转移的对抗性实例。具体地说,我们对输入进行频谱转换,从而在频率域中进行模型增强。我们理论上证明,从频域产生的变换可导致一个不同的频谱突出性图,这是我们为反映替代模型多样性而提出的一个指标。值得注意的是,我们的方法一般可以与现有的攻击相结合。关于图像网络数据集的广泛实验显示了我们的方法的有效性,\textit{e.},我们用平均成功率\ textb{{95.4}。我们的代码可以在url{http://githusub.yong}/yongyong_yang.