LGV: Boosting Adversarial Example Transferability from Large Geometric Vicinity

[en] We propose transferability from Large Geometric Vicinity (LGV), a new technique to increase the transferability of black-box adversarial attacks. LGV starts from a pretrained surrogate model and collects multiple weight sets from a few additional training epochs with a constant and high learning rate. LGV exploits two geometric properties that we relate to transferability. First, models that belong to a wider weight optimum are better surrogates. Second, we identify a subspace able to generate an effective surrogate ensemble among this wider optimum. Through extensive experiments, we show that LGV alone outperforms all (combinations of) four established test-time transformations by 1.8 to 59.9\% points. Our findings shed new light on the importance of the geometry of the weight space to explain the transferability of adversarial examples.

Disciplines :

Computer science

Author, co-author :

GUBRI, Martin ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SerVal

CORDY, Maxime ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SerVal

PAPADAKIS, Mike ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS)

Traon, Yves Le

Sen, Koushik

External co-authors :

yes

Language :

English

Title :

LGV: Boosting Adversarial Example Transferability from Large Geometric Vicinity

Publication date :

2022

Event name :

EUROPEAN CONFERENCE ON COMPUTER VISION

Event date :

October 23–27, 2022

Audience :

International

Main work title :

Computer Vision -- ECCV 2022

Publisher :

Springer Nature Switzerland

ISBN/EAN :

978-3-031-19772-7

Pages :

603--618

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

FnR Project :

FNR12669767 - Testing Self-learning Systems, 2018 (01/09/2019-31/08/2022) - Yves Le Traon

Available on ORBilu :

since 30 December 2022

Statistics

Number of views

91 (3 by Unilu)

Number of downloads

21 (1 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

Bibliography

Ashukha, A., Lyzhov, A., Molchanov, D., Vetrov, D.: Pitfalls of in-domain uncertainty estimation and ensembling in deep learning (2020). http://arxiv.org/abs/2002.06470
Biggio, B., et al.: Evasion attacks against machine learning at test time. In: Lecture Notes in Computer Science, vol. 8190 LNAI, pp. 387–402 (2013). https://doi.org/10.1007/978-3-642-40994-3 25
Charles, Z., Rosenberg, H., Papailiopoulos, D.: A geometric perspective on the transferability of adversarial directions. In: AISTATS 2019 (2020). http://arxiv. org/abs/1811.03531
Dargan, S., Kumar, M., Ayyagari, M.R., Kumar, G.: A survey of deep learning and its applications: a new paradigm to machine learning. Arch. Comput. Methods Eng. 27(4), 1071–1092 (2019)
Dong, Y., et al.: Boosting adversarial attacks with momentum. In: CVPR, pp. 9185–9193 (2018). https://doi.org/10.1109/CVPR.2018.00957
Eykholt, K., et al.: Robust physical-world attacks on deep learning models (2017). https://doi.org/10.48550/arxiv.1707.08945
Foret, P., Kleiner Google Research, A., Mobahi Google Research, H., Neyshabur Blueshift, B.: Sharpness-aware minimization for efficiently improving generalization (2020). http://arxiv.org/abs/2010.01412v3
Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples (2014)
Gubri, M., Cordy, M., Papadakis, M., Traon, Y.L.: Efficient and transferable adversarial examples from Bayesian neural networks. UAI 2022 (2022). http://arxiv.org/abs/2011.05074
Gur-Ari, G., Roberts, D.A., Dyer, E.: Gradient descent happens in a tiny subspace (2018). http://arxiv.org/abs/1812.04754
Hochreiter, S., Schmidhuber, J.: Flat minima. Neural Comput. 9(1), 1–42 (1997). https://doi.org/10.1162/NECO.1997.9.1.1
Izmailov, P., Maddox, W.J., Kirichenko, P., Garipov, T., Vetrov, D., Wilson, A.G.: Subspace inference for Bayesian deep learning. In: UAI 2019 (2019). http://arxiv. org/abs/1907.07504
Izmailov, P., Podoprikhin, D., Garipov, T., Vetrov, D., Wilson, A.G.: Averaging weights leads to wider optima and better generalization. In: 34th Conference on Uncertainty in Artificial Intelligence 2018, UAI 2018, vol. 2, pp. 876–885. Association For Uncertainty in Artificial Intelligence (AUAI) (2018). http://arxiv.org/abs/1803.05407
Keskar, N.S., Nocedal, J., Tang, P.T.P., Mudigere, D., Smelyanskiy, M.: On large-batch training for deep learning: generalization gap and sharp minima. In: ICLR 2017 (2016). http://arxiv.org/abs/1609.04836v2
Kurakin, A., Goodfellow, I.J., Bengio, S.: Adversarial examples in the physical world. In: 5th International Conference on Learning Representations, ICLR 2017-Workshop Track Proceedings (2017). http://arxiv.org/abs/1607.02533
Li, C., Farkhoor, H., Liu, R., Yosinski, J.: Measuring the intrinsic dimension of objective landscapes. In: 6th International Conference on Learning Representations, ICLR 2018-Conference Track Proceedings (2018). http://arxiv.org/abs/1804.08838v1
Li, Y., Bai, S., Zhou, Y., Xie, C., Zhang, Z., Yuille, A.: Learning transferable adversarial examples via ghost networks. In: AAAI 34(07), pp. 11458–11465 (2018). https://doi.org/10.1609/aaai.v34i07.6810, http://arxiv.org/abs/1812.03413
Maddox, W.J., Garipov, T., Izmailov, Vetrov, D., Wilson, A.G.: A simple baseline for Bayesian uncertainty in deep learning. In: NeurIPS, vol. 32 (2019). http://arxiv.org/abs/1902.02476
Mandt, S., Hof Fman, M.D., Blei, D.M.: Stochastic gradient descent as approximate Bayesian inference. J. Mach. Learn. Res. 18, 1–35 (2017). http://arxiv.org/abs/1704.04289v2
Papernot, N., McDaniel, P., Goodfellow, I.: Transferability in machine learning: from phenomena to black-box attacks using adversarial samples (2016). http://arxiv.org/abs/1605.07277
Paszke, A., et al.: PyTorch: an imperative style, high-performance deep learning library. In: NIPS, pp. 8024–8035 (2019). http://papers.neurips.cc/paper/9015-pytorch-an-imperative-style-high-performance-deep-learning-library.pdf
Pedregosa, F., et al.: Scikit-learn: machine learning in python. J. Mach. Learn. Res. 12, 2825–2830 (2011)
Sharif, M., Bhagavatula, S., Bauer, L., Reiter, M.K.: A general framework for adversarial examples with objectives. ACM Trans. Priv. Secur. 22(3), 30 (2017). https://doi.org/10.1145/3317611
Szegedy, C., et al.: Intriguing properties of neural networks (2013). http://arxiv. org/abs/1312.6199
Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I., Boneh, D., McDaniel, P.: Ensemble adversarial training: Attacks and defenses. In: 6th International Conference on Learning Representations, ICLR 2018-Conference Track Proceedings (2018). http://arxiv.org/abs/1705.07204
Tramèr, F., Papernot, N., Goodfellow, I., Boneh, D., McDaniel, P.: The space of transferable adversarial examples (2017). http://arxiv.org/abs/1704.03453
Wu, D., Wang, Y., Xia, S.T., Bailey, J., Ma, X.: Skip connections matter: on the transferability of adversarial examples generated with ResNets. In: ICLR (2020). http://arxiv.org/abs/2002.05990
Wu, D., Xia, S.T., Wang, Y.: Adversarial weight perturbation helps robust generalization. In: Advances in Neural Information Processing Systems. Neural information processing systems foundation (2020). http://arxiv.org/abs/2004.05884v2
Xie, C., et al.: Improving transferability of adversarial examples with input diversity. In: Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition, vol. 2019-June, pp. 2725–2734 (2019). https://doi.org/10.1109/CVPR.2019.00284
Xu, K., et al.: Evading real-time person detectors by adversarial T-shirt (2019). http://arxiv.org/abs/1910.11099
Yao, Z., Gholami, A., Keutzer, K., Mahoney, M.W.: PyHessian: neural networks through the lens of the Hessian. Big Data 2020, pp. 581–590 (2019). https://doi. org/10.1109/BigData50022.2020.9378171
Zhang, S., Reid, I., Pérez, G.V., Louis, A.: Why flatness does and does not correlate with generalization for deep neural networks (2021). http://arxiv.org/abs/2103. 06219