Deep neural networks are widely known to be vulnerable to adversarial examples, especially showing significantly poor performance on adversarial examples generated under the white-box setting. However, most white-box attack methods rely heavily on the target model and quickly get stuck in local optima, resulting in poor adversarial transferability. The momentum-based methods and their variants are proposed to escape the local optima for better transferability. In this work, we notice that the transferability of adversarial examples generated by the iterative fast gradient sign method (I-FGSM) exhibits a decreasing trend when increasing the number of iterations. Motivated by this finding, we argue that the information of adversarial perturbations near the benign sample, especially the direction, benefits more on the transferability. Thus, we propose a novel strategy, which uses the Scheduled step size and the Dual example (SD), to fully utilize the adversarial information near the benign sample. Our proposed strategy can be easily integrated with existing adversarial attack methods for better adversarial transferability. Empirical evaluations on the standard ImageNet dataset demonstrate that our proposed method can significantly enhance the transferability of existing adversarial attacks.

翻译：深度神经网络广泛被认为易于受到对抗样本的攻击，尤其是在白盒设置下生成的对抗样本表现严重下降。然而，大多数白盒攻击方法高度依赖目标模型，并容易陷入局部最优，导致对抗迁移性较差。基于动量的方法及其变体被提出以逃离局部最优，从而提升迁移性。在本工作中，我们注意到迭代快速梯度符号法（I-FGSM）生成的对抗样本的迁移性会随着迭代次数增加呈现下降趋势。受此发现启发，我们认为良性样本附近的对抗扰动信息（尤其是方向）对迁移性更有益。因此，我们提出一种新策略——利用调度步长与双重样本（SD），以充分利用良性样本附近的对抗信息。该策略可轻松集成到现有对抗攻击方法中，以增强对抗迁移性。在标准ImageNet数据集上的实证评估表明，我们提出的方法能显著提升现有对抗攻击的迁移性。