Everywhere Attack: Attacking Locally and Globally to Boost Targeted Transferability

Adversarial examples' (AE) transferability refers to the phenomenon that AEs crafted with one surrogate model can also fool other models. Notwithstanding remarkable progress in untargeted transferability, its targeted counterpart remains challenging. This paper proposes an everywhere scheme to boost targeted transferability. Our idea is to attack a victim image both globally and locally. We aim to optimize 'an army of targets' in every local image region instead of the previous works that optimize a high-confidence target in the image. Specifically, we split a victim image into non-overlap blocks and jointly mount a targeted attack on each block. Such a strategy mitigates transfer failures caused by attention inconsistency between surrogate and victim models and thus results in stronger transferability. Our approach is method-agnostic, which means it can be easily combined with existing transferable attacks for even higher transferability. Extensive experiments on ImageNet demonstrate that the proposed approach universally improves the state-of-the-art targeted attacks by a clear margin, e.g., the transferability of the widely adopted Logit attack can be improved by 28.8%-300%.We also evaluate the crafted AEs on a real-world platform: Google Cloud Vision. Results further support the superiority of the proposed method.

Key Contributions

• Identifies attention inconsistency between surrogate and victim models as a primary cause of targeted transfer failure.
• Proposes the 'Everywhere Attack' which simultaneously mounts targeted attacks on every non-overlapping local block of a victim image, covering diverse attention regions of victim models.
• Method-agnostic scheme that universally improves state-of-the-art targeted attacks (e.g., Logit attack by 28.8%–300%) and is validated on both ImageNet and the Google Cloud Vision API.

🛡️ Threat Analysis

Details

Similar Papers