Quantized neural networks (QNNs) have received increasing attention in resource-constrained scenarios due to their exceptional generalizability. However, their robustness against realistic black-box adversarial attacks has not been extensively studied. In this scenario, adversarial transferability is pursued across QNNs with different quantization bitwidths, which particularly involve unknown architectures and defense methods. Previous studies claim that transferability is difficult to achieve across QNNs with different bitwidths on the condition that they share the same architecture. However, we discover that under different architectures, transferability can be largely improved by using a QNN quantized with an extremely low bitwidth as the substitute model. We further improve the attack transferability by proposing \textit{quantization aware attack} (QAA), which fine-tunes a QNN substitute model with a multiple-bitwidth training objective. In particular, we demonstrate that QAA addresses the two issues that are commonly known to hinder transferability: 1) quantization shifts and 2) gradient misalignments. Extensive experimental results validate the high transferability of the QAA to diverse target models. For instance, when adopting the ResNet-34 substitute model on ImageNet, QAA outperforms the current best attack in attacking standardly trained DNNs, adversarially trained DNNs, and QNNs with varied bitwidths by 4.3\% $\sim$ 20.9\%, 8.7\% $\sim$ 15.5\%, and 2.6\% $\sim$ 31.1\% (absolute), respectively. In addition, QAA is efficient since it only takes one epoch for fine-tuning. In the end, we empirically explain the effectiveness of QAA from the view of the loss landscape. Our code is available at ~\url{https://github.com/yyl-github-1896/QAA/}.

翻译：量化神经网络（QNNs）由于其出色的泛化能力，在资源受限场景中受到越来越多的关注。然而，其在面对现实黑盒对抗攻击时的鲁棒性尚未得到充分研究。在该场景中，对抗攻击的可迁移性需跨越不同量化位宽的QNNs，且这些QNNs涉及未知架构和防御方法。先前研究认为，在相同架构条件下，不同位宽QNNs之间难以实现可迁移性。但我们发现，在不同架构下，通过使用极低位宽量化的QNN作为替代模型，可显著提升可迁移性。我们进一步提出量化感知攻击（QAA），通过多比特宽训练目标微调QNN替代模型，从而增强攻击可迁移性。具体而言，我们证明QAA解决了通常阻碍可迁移性的两个问题：1）量化偏移和2）梯度错位。大量实验结果验证了QAA对多样化目标模型的高度可迁移性。例如，在ImageNet上采用ResNet-34替代模型时，QAA在攻击标准训练DNN、对抗训练DNN及不同位宽QNN方面，分别以绝对百分比超越当前最优攻击方法4.3%∼20.9%、8.7%∼15.5%和2.6%∼31.1%。此外，QAA仅需一个训练周期即可完成微调，具有高效性。最终，我们从损失景观视角实证解释了QAA的有效性。我们的代码开源地址：\url{https://github.com/yyl-github-1896/QAA/}。