IDEAS home Printed from https://ideas.repec.org/a/gam/jmathe/v10y2022i8p1249-d791122.html
   My bibliography  Save this article

Enhance Domain-Invariant Transferability of Adversarial Examples via Distance Metric Attack

Author

Listed:
  • Jin Zhang

    (Kunming Institute of Physics, Kunming 650223, China
    These authors contributed equally to this work.)

  • Wenyu Peng

    (School of Software, Yunnan University, Kunming 650500, China
    Engineering Research Center of Cyberspace, Yunnan University, Kunming 650500, China
    These authors contributed equally to this work.)

  • Ruxin Wang

    (School of Software, Yunnan University, Kunming 650500, China
    Engineering Research Center of Cyberspace, Yunnan University, Kunming 650500, China)

  • Yu Lin

    (Kunming Institute of Physics, Kunming 650223, China)

  • Wei Zhou

    (School of Software, Yunnan University, Kunming 650500, China
    Engineering Research Center of Cyberspace, Yunnan University, Kunming 650500, China)

  • Ge Lan

    (Kunming Institute of Physics, Kunming 650223, China)

Abstract

A general foundation of fooling a neural network without knowing the details (i.e., black-box attack) is the attack transferability of adversarial examples across different models. Many works have been devoted to enhancing the task-specific transferability of adversarial examples, whereas the cross-task transferability is nearly out of the research scope. In this paper, to enhance the above two types of transferability of adversarial examples, we are the first to regard the transferability issue as a heterogeneous domain generalisation problem, which can be addressed by a general pipeline based on the domain-invariant feature extractor pre-trained on ImageNet. Specifically, we propose a distance metric attack (DMA) method that aims to increase the latent layer distance between the adversarial example and the benign example along the opposite direction guided by the cross-entropy loss. With the help of a simple loss, DMA can effectively enhance the domain-invariant transferability (for both the task-specific case and the cross-task case) of the adversarial examples. Additionally, DMA can be used to measure the robustness of the latent layers in a deep model. We empirically find that the models with similar structures have consistent robustness at depth-similar layers, which reveals that model robustness is closely related to model structure. Extensive experiments on image classification, object detection, and semantic segmentation demonstrate that DMA can improve the success rate of black-box attack by more than 10% on the task-specific attack and by more than 5% on cross-task attack.

Suggested Citation

  • Jin Zhang & Wenyu Peng & Ruxin Wang & Yu Lin & Wei Zhou & Ge Lan, 2022. "Enhance Domain-Invariant Transferability of Adversarial Examples via Distance Metric Attack," Mathematics, MDPI, vol. 10(8), pages 1-15, April.
    • Handle: RePEc:gam:jmathe:v:10:y:2022:i:8:p:1249-:d:791122
    as

    Download full text from publisher

    File URL: https://www.mdpi.com/2227-7390/10/8/1249/pdf
    Download Restriction: no
    File URL: https://www.mdpi.com/2227-7390/10/8/1249/
    Download Restriction: no
    ---><---

    References listed on IDEAS

    as
    1. Pengxi Yang & Fei Gao & Hua Zhang, 2021. "Multi-Player Evolutionary Game of Network Attack and Defense Based on System Dynamics," Mathematics, MDPI, vol. 9(23), pages 1-18, November.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Yin, Zhenqin & Zhuo, Yue & Ge, Zhiqiang, 2023. "Transfer adversarial attacks across industrial intelligent systems," Reliability Engineering and System Safety, Elsevier, vol. 237(C).

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Enning Zhang & Gang Wang & Runnian Ma & Juan Li, 2023. "An Optimal Group Decision-Making Approach for Cyber Security Using Improved Selection-Drift Dynamics," Dynamic Games and Applications, Springer, vol. 13(3), pages 980-1004, September.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jmathe:v:10:y:2022:i:8:p:1249-:d:791122. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.