Transferable targeted adversarial attack via multi-source perturbation generation and integration

Abstract

With the rapid development of artificial intelligence, deep learning models have been applied in the field of society (e.g., video or image representation). However, due to the presence of adversarial examples, these models exhibit obvious fragility, which has become a major challenge restricting society development. Therefore, studying the generation process and achieving high transferability of adversarial examples are of utmost importance. In this paper, we propose a transferable targeted adversarial attack method called Multi-source Perturbation Generation and Integration (MPGI) to address the vulnerability and uncertainty of deep learning models. Specifically, MPGI consists of three critical designs to achieve targeted transferability of adversarial examples. Firstly, we propose a Collaborative Feature Fusion (CFF) component, which reduces the impact of original example feature on model classification by considering collaboration in feature fusion. Subsequently, we propose a Multi-scale Perturbation Dynamic Fusion (MPDF) module to fuse perturbations from different scales for enriching perturbation diversity. Finally, we innovatively investigate a novel Logit Margin with Penalty (LMP) loss to further enhance the misleading ability of the examples. The LMP, as a pluggable part, offers the potential to be leveraged by different approaches for boosting performance. In summary, MPGI can effectively achieve targeted attacks, expose the shortcomings of existing models, and promote the development of artificial intelligence in terms of security. Extensive experiments on ImageNet-Compatible and CIFAR-10 datasets demonstrate the superiority of the proposed method. For instance, the attack success rate increases by 17.6% and 17.0% compared to state-of-the-art method when transferred from DN-121 to Inc-v3 and MB-v2 models.