Adversarial attack method based on enhanced spatial momentum

Deep neural networks have been widely applied in many fields, but it is found that they are vulnerable to adversarial examples, which can mislead the DNN-based models with imperceptible perturbations. Many adversarial attack methods can achieve great success rates when attacking white-box models, but they usually exhibit poor transferability when attacking black-box models. Momentum iterative gradient-based methods can effectively improve the transferability of adversarial examples. Still, the momentum update mechanism of existing methods may lead to a problem of unstable gradient update direction and result in poor local optima. In this paper, we propose an enhanced spatial momentum iterative gradient-based adversarial attack method. Specifically, we introduce the spatial domain momentum accumulation mechanism. Instead of only accumulating the gradients of data points on the optimization path in the gradient update process, we additionally accumulate the average gradients of multiple sampling points within the neighborhood of data points. This mechanism fully utilizes the contextual gradient information of different regions within the image to smooth the accumulated gradients and find a more stable gradient update direction, thus escaping from poor local optima. Empirical results on the standard ImageNet dataset demonstrate that our method can significantly improve the attack success rate of momentum iterative gradient-based methods and shows excellent attack performance not only against normally trained models but also against adversarial training and defense models, outperforming the state-of-the-art methods.