Deep neural networks (DNNs) are vulnerable to adversarial examples. And, the adversarial examples have transferability, which means that an adversarial example for a DNN model can fool another model with a non-trivial probability. This gave birth to the transfer-based attack where the adversarial examples generated by a surrogate model are used to conduct black-box attacks. There are some work on generating the adversarial examples from a given surrogate model with better transferability. However, training a special surrogate model to generate adversarial examples with better transferability is relatively under-explored. This paper proposes a method for training a surrogate model with dark knowledge to boost the transferability of the adversarial examples generated by the surrogate model. This trained surrogate model is named dark surrogate model (DSM). The proposed method for training a DSM consists of two key components: a teacher model extracting dark knowledge, and the mixing augmentation skill enhancing dark knowledge of training data. We conducted extensive experiments to show that the proposed method can substantially improve the adversarial transferability of surrogate models across different architectures of surrogate models and optimizers for generating adversarial examples, and it can be applied to other scenarios of transfer-based attack that contain dark knowledge, like face verification. Our code is publicly available at \url{https://github.com/ydc123/Dark_Surrogate_Model}.

翻译：深度神经网络（DNN）对对抗样本具有脆弱性。此外，对抗样本具有迁移性，即针对某个DNN模型生成的对抗样本能够以非平凡的概率欺骗另一个模型。这催生了基于迁移的攻击方法，即利用代理模型生成的对抗样本实施黑盒攻击。目前已有部分工作致力于从给定代理模型生成具有更好迁移性的对抗样本，但如何训练一个专门用于生成高迁移性对抗样本的代理模型仍相对缺乏研究。本文提出一种利用暗知识训练代理模型的方法，以提升该代理模型生成对抗样本的迁移性。该训练后的代理模型被称为暗代理模型（DSM）。训练DSM的方法包含两个关键组成部分：提取暗知识的教师模型，以及增强训练数据暗知识的混合增强技术。我们通过大量实验证明，该方法能够显著提升不同架构代理模型及不同优化器生成的对抗样本的迁移性，并可应用于包含暗知识的其他迁移攻击场景（如人脸验证）。我们的代码已开源在\url{https://github.com/ydc123/Dark_Surrogate_Model}。