Adaptive warping network for transferable adversarial attacks

Abstract

Deep Neural Networks (DNNs) are extremely susceptible to adversarial examples, which are crafted by intentionally adding imperceptible perturbations to clean images. Due to potential threats of adversarial attacks in practice, black-box transferable attacks are carefully studied to identify the vulnerability of DNNs. Unfortunately, transferable attacks often fail to achieve high transferability because the adversarial examples tend to overfit the source model. Applying input transformation is one of the most effective methods to avoid such overfitting. However, most previous input transformation methods obtain limited transferability because these methods utilize fixed transformations for all images. To solve the problem, we propose an Adaptive Warping Network (AWN), which searches for appropriate warping to the individual data. Specifically, AWN optimizes the warping, which mitigates the effect of adversarial perturbations in each iteration. The adversarial examples are generated to become robust against such strong transformations. Extensive experimental results on cross-model demonstrate that AWN outperforms the existing input transformation methods with respect to transferability. Furthermore, experiments in cross-domain settings demonstrate AWN improves transferability even in challenging scenarios.