Loading [MathJax]/extensions/MathMenu.js
Adversarial Example Soups: Improving Transferability and Stealthiness for Free | IEEE Journals & Magazine | IEEE Xplore
Access provided by:
MIT Libraries
Sign Out
Access provided by:
MIT Libraries
Sign Out
ADVANCED SEARCH
Journals & Magazines >IEEE Transactions on Informat... >Volume: 20

Adversarial Example Soups: Improving Transferability and Stealthiness for Free

PDF
Bo Yang; Hengwei Zhang; Jindong Wang; Yulong Yang; Chenhao Lin; Chao Shen
All Authors

Abstract:

Transferable adversarial examples cause practical security risks since they can mislead a target model without knowing its internal knowledge. A conventional recipe for m...Show More

Metadata

Abstract:

Transferable adversarial examples cause practical security risks since they can mislead a target model without knowing its internal knowledge. A conventional recipe for maximizing transferability is to keep only the optimal adversarial example from all those obtained in the optimization pipeline. In this paper, for the first time, we revisit this convention and demonstrate that those discarded, sub-optimal adversarial examples can be reused to boost transferability. Specifically, we propose “Adversarial Example Soups” (AES), with AES-tune for averaging discarded adversarial examples in hyperparameter tuning and AES-rand for stability testing. In addition, our AES is inspired by “model soups”, which averages weights of multiple fine-tuned models for improved accuracy without increasing inference time. Extensive experiments validate the global effectiveness of our AES, boosting 10 state-of-the-art transfer attacks and their combinations by up to 13% against 10 diverse (defensive) target models. We also show the possibility of generalizing AES to other types, e.g., directly averaging multiple in-the-wild adversarial examples that yield comparable success. A promising byproduct of AES is the improved stealthiness of adversarial examples since the perturbation variances are naturally reduced.
Published in: IEEE Transactions on Information Forensics and Security ( Volume: 20)
Page(s): 1882 - 1894
Date of Publication: 30 January 2025

ISSN Information:

DOI: 10.1109/TIFS.2025.3536611

Funding Agency:

Contents

I. Introduction

In recent years, Deep Neural Networks (DNNs) have achieved great success in various domains, such as image classification [1], [2], face recognition [3], [4], object detection [5], [6], [7], and autonomous driving [8], [9]. However, DNNs are known to be vulnerable to adversarial examples [10], [11], [12], [13], [14], which are crafted by adding imperceptible perturbations into clean images. Adversarial examples can cause severe threats in black-box security-sensitive applications, such as face recognition systems [15] and autonomous driving cars [16], due to their transferability, i.e., the adversarial examples generated on the surrogate model can be directly used to mislead unknown target models [17], [18], [19], [20], [21].

Contact IEEE to Subscribe
More Like This
Tuning maturity model of ecogeography-based optimization on CEC 2015 single-objective optimization test problems

2015 IEEE Congress on Evolutionary Computation (CEC)

Published: 2015

Classifier Optimization with a Test-Time Training Layer for Employee Attrition Prediction

2024 11th International Conference on Electrical Engineering, Computer Science and Informatics (EECSI)

Published: 2024

Show More

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.