Many existing adversarial attacks generate $L_p$-norm perturbations on image RGB space. Despite some achievements in transferability and attack success rate, the crafted adversarial examples are easily perceived by human eyes. Towards visual imperceptibility, some recent works explore unrestricted attacks without $L_p$-norm constraints, yet lacking transferability of attacking black-box models. In this work, we propose a novel imperceptible and transferable attack by leveraging both the generative and discriminative power of diffusion models. Specifically, instead of direct manipulation in pixel space, we craft perturbations in the latent space of diffusion models. Combined with well-designed content-preserving structures, we can generate human-insensitive perturbations embedded with semantic clues. For better transferability, we further "deceive" the diffusion model which can be viewed as an implicit recognition surrogate, by distracting its attention away from the target regions. To our knowledge, our proposed method, DiffAttack, is the first that introduces diffusion models into the adversarial attack field. Extensive experiments on various model structures, datasets, and defense methods have demonstrated the superiority of our attack over the existing attack methods.

翻译：许多现有的对抗攻击在图像RGB空间上生成$L_p$范数扰动。尽管在迁移性和攻击成功率方面取得了一定成果，但生成的对抗样本容易被人类肉眼察觉。为了实现视觉上的不可感知性，一些近期研究探索了无$L_p$范数约束的非限制性攻击，然而这些方法在攻击黑盒模型时缺乏迁移性。在本工作中，我们提出了一种新颖的不可感知且可迁移的攻击方法，同时利用了扩散模型的生成能力与判别能力。具体而言，我们不在像素空间直接操作，而是在扩散模型的潜在空间中生成扰动。结合精心设计的内容保留结构，我们能够生成嵌入语义线索且对人类不敏感的扰动。为了提升迁移性，我们进一步“欺骗”扩散模型——可将其视为隐式识别代理——通过使其注意力偏离目标区域。据我们所知，我们提出的方法DiffAttack是首个将扩散模型引入对抗攻击领域的工作。在多种模型结构、数据集及防御方法上的大量实验表明，我们的攻击方法相较于现有攻击方法具有显著优越性。