Deep Neural Networks (DNNs) could be easily fooled by Adversarial Examples (AEs) with the imperceptible difference to original samples in human eyes. To keep the difference imperceptible, the existing attacking bound the adversarial perturbations by the $\ell_\infty$ norm, which is then served as the standard to align different attacks for a fair comparison. However, when investigating attack transferability, i.e., the capability of the AEs from attacking one surrogate DNN to cheat other black-box DNN, we find that only using the $\ell_\infty$ norm is not sufficient to measure the attack strength, according to our comprehensive experiments concerning 7 transfer-based attacks, 4 white-box surrogate models, and 9 black-box victim models. Specifically, we find that the $\ell_2$ norm greatly affects the transferability in $\ell_\infty$ attacks. Since larger-perturbed AEs naturally bring about better transferability, we advocate that the strength of all attacks should be measured by both the widely used $\ell_\infty$ and also the $\ell_2$ norm. Despite the intuitiveness of our conclusion and advocacy, they are very necessary for the community, because common evaluations (bounding only the $\ell_\infty$ norm) allow tricky enhancements of the "attack transferability" by increasing the "attack strength" ($\ell_2$ norm) as shown by our simple counter-example method, and the good transferability of several existing methods may be due to their large $\ell_2$ distances.
翻译:深神经网络(DNNS) 很容易被 Aversarial Internets (DNNS) 所欺骗, 与人类眼中的原始样本相比, 无法辨别差异。 要保持这种差异, 根据我们对7次转移式袭击、 4个白箱套件模型和9个黑箱受害者模型的全面实验, 现有的攻击将约束对立性, 从而作为调和不同攻击以公平比较的标准。 但是, 在调查攻击可转移性时, 即 AE( AE) 袭击一个替代的 DNNN( AE) 以欺骗其他黑盒 DNNN( DNN) 的能力时, 我们发现, 只有使用 $\ intrefty$ 标准不足以衡量攻击的强度。 根据我们对7次转移式袭击、 4个白箱套件套件套件套件套件套件和9个黑箱受害者模型的全面实验, 我们发现, $2 值标准对攻击的可转移性有很大影响 $ 。 。 由于更深的AE 自然会带来更好的可转移性, 我们主张所有攻击的强度, 所有攻击的强度的强度的强度应该由广泛使用的 美元 以 美元 正在使用的正统值标准 美元来测量的递增 。
相关内容
微信扫码咨询专知VIP会员