Enhancing Adversarial Examples Transferability via Ensemble Feature Manifolds

Abstract

The adversarial attack is a technique that causes intended misclassification by adding imperceptible perturbations to benign inputs. It provides a way to evaluate the robustness of models. Many existing adversarial attacks have achieved good performance in the white-box settings. However, these adversarial examples generated by various attacks typically overfit the particular architecture of the source model, resulting in low transferability in the black-box scenarios. In this work, we propose a novel feature attack method called Features-Ensemble Generative Adversarial Network (FEGAN), which ensembles multiple feature manifolds to capture intrinsic adversarial information that is most likely to cause misclassification of many models, thereby improving the transferability of adversarial examples. Accordingly, a generator trained based on various latent feature vectors of benign inputs can produce adversarial examples containing this adversarial information. Extensive experiments on the MNIST and CIFAR10 datasets demonstrate that the proposed method improves the transferability of adversarial examples while ensuring the attack success rate in the white-box scenario. In addition, the generated adversarial examples are more realistic with distribution close to that of the actual data.