Despite the success of input transformation-based attacks on boosting adversarial transferability, the performance is unsatisfying due to the ignorance of the discrepancy across models. In this paper, we propose a simple but effective feature augmentation attack (FAUG) method, which improves adversarial transferability without introducing extra computation costs. Specifically, we inject the random noise into the intermediate features of the model to enlarge the diversity of the attack gradient, thereby mitigating the risk of overfitting to the specific model and notably amplifying adversarial transferability. Moreover, our method can be combined with existing gradient attacks to augment their performance further. Extensive experiments conducted on the ImageNet dataset across CNN and transformer models corroborate the efficacy of our method, e.g., we achieve improvement of +26.22% and +5.57% on input transformation-based attacks and combination methods, respectively.

翻译：尽管基于输入变换的攻击在提升对抗可迁移性方面取得了成功，但由于忽视了模型间的差异性，其性能仍不尽如人意。本文提出了一种简单而有效的特征增强攻击方法，该方法在不引入额外计算成本的前提下，显著提升了对抗样本的可迁移性。具体而言，我们在模型的中间特征中注入随机噪声，以扩大攻击梯度的多样性，从而降低对特定模型的过拟合风险，并显著增强对抗可迁移性。此外，本方法可与现有的梯度攻击方法结合，进一步强化其攻击效果。在ImageNet数据集上针对CNN和Transformer模型进行的大量实验验证了本方法的有效性，例如，我们在基于输入变换的攻击及其组合方法上分别实现了+26.22%和+5.57%的性能提升。