Rotation Transformation: A Method to Improve the Transferability of Adversarial Examples

Abstract

Convolutional neural network models are fragile to adversarial examples. Adding disturbances that humans cannot observe in clean images can make the model classification error. Among the adversarial attack methods, white-box attacks have achieved a high attack success rate, but the "overfitting" between the adversarial examples and the model has led to a low success rate of black-box attacks. To this end, this paper introduces the data augmentation method into the adversarial examples generation process, establishes a probability model to perform random rotation transformation on clean images, improves the mobility of adversarial examples, and improves the success rate of adversarial examples under black-box setting. The experimental results on ImageNet show that the RO-MI-FGSM method we proposed has a stronger attack effect, achieving a black-box attack success rate up to 80.3%.