Given the severe vulnerability of Deep Neural Networks (DNNs) against adversarial examples, there is an urgent need for an effective adversarial attack to identify the deficiencies of DNNs in security-sensitive applications. As one of the prevalent black-box adversarial attacks, the existing transfer-based attacks still cannot achieve comparable performance with the white-box attacks. Among these, input transformation based attacks have shown remarkable effectiveness in boosting transferability. In this work, we find that the existing input transformation based attacks transform the input image globally, resulting in limited diversity of the transformed images. We postulate that the more diverse transformed images result in better transferability. Thus, we investigate how to locally apply various transformations onto the input image to improve such diversity while preserving the structure of image. To this end, we propose a novel input transformation based attack, called Structure Invariant Attack (SIA), which applies a random image transformation onto each image block to craft a set of diverse images for gradient calculation. Extensive experiments on the standard ImageNet dataset demonstrate that SIA exhibits much better transferability than the existing SOTA input transformation based attacks on CNN-based and transformer-based models, showing its generality and superiority in boosting transferability. Code is available at https://github.com/xiaosen-wang/SIT.

翻译：鉴于深度神经网络（DNNs）对对抗样本存在严重脆弱性，亟需有效的对抗攻击方法识别DNNs在安全敏感应用中的缺陷。现有基于迁移的黑盒攻击方法作为主流黑盒对抗攻击之一，仍无法达到与白盒攻击相当的性能。其中，基于输入变换的攻击在提升迁移性方面展现出显著效果。本研究发现，现有基于输入变换的攻击对输入图像进行全局变换，导致变换后图像多样性有限。我们假设更丰富的变换后图像能带来更好的迁移性。因此，我们研究如何在保留图像结构的同时，对输入图像局部施加多样化变换以提升多样性。为此，我们提出一种新型基于输入变换的攻击方法——结构不变攻击（SIA），该方法对每个图像块施加随机图像变换，生成多样化的图像用于梯度计算。在标准ImageNet数据集上的大量实验表明，在基于CNN和Transformer的模型上，SIA相比现有最先进的基于输入变换的攻击方法展现出更优的迁移性，证明了其在提升迁移性方面的通用性和优越性。代码见https://github.com/xiaosen-wang/SIT。