透過多樣化的權重修剪提升目標攻擊的可轉移性

Abstract

惡意攻擊者可以透過添加微小的擾動生成目標性對抗例，促使神經網路產生特定的錯誤輸出。在跨模型的遷移性下，即使無法直接存取神經網路模型的參數，模型一樣可能受到對抗例的攻擊。現今研究提出以集成式方法來生成對抗例以增加遷移性。為了更加提升遷移性，模型增強法會增加參與集成式方法的模型數量。然而，現存的模型增強法只在無目標性攻擊的設定上進行。在本作中，我們提出多樣化權重修剪，一個新穎的模型增強法，來產生目標性攻擊。相較於以往的研究，多樣化權重修剪會保護模型中必要的權重，並同時確保修剪後模型的多樣性。我們將在實驗中呈現此對目標性攻擊的重要性。我們在 ImageNet 兼容資料集上，提供了更具挑戰性的設定下的實驗結果：分別是遷移到經過對抗訓練的模型、非捲積神經網路模型以及 Google 雲端電腦視覺服務。結果顯示我們提出的多樣化權重修剪分別能在三個設定下，基於最新方法，提升目標性攻擊成功率10.1%, 6.6%, 以及 7.0%。我們將會在投稿接受後開放程式碼。

Malicious attackers can generate targeted adversarial examples by imposing tiny noises, forcing neural networks to produce specific incorrect outputs. With cross-model transferability, network models remain vulnerable even in black-box settings. Recent studies have shown the effectiveness of ensemble-based methods in generating transferable adversarial examples. To further enhance transferability, model augmentation methods aim to produce more networks participating in the ensemble. However, existing model augmentation methods are only proven effective in untargeted attacks. In this work, we propose Diversified Weight Pruning (DWP), a novel model augmentation technique for generating transferable targeted attacks. DWP leverages the weight pruning method commonly used in model compression. Compared with prior work, DWP protects necessary connections and ensures the diversity of the pruned models simultaneously, which we show are crucial for targeted transferability. Experiments on the ImageNet-compatible dataset under various and more challenging scenarios confirm the effectiveness: transfer to adversarially trained models, Non-CNN architectures, and Google Cloud Vision. The results show that our proposed DWP improves the targeted attack success rates with up to 10.1%, 6.6%, and 7.0% on the combination of state-of-the-art methods, respectively. The source code will be made available after acceptance.