Transfer-based attack adopts the adversarial examples generated on the surrogate model to attack various models, making it applicable in the physical world and attracting increasing interest. Recently, various adversarial attacks have emerged to boost adversarial transferability from different perspectives. In this work, inspired by the fact that flat local minima are correlated with good generalization, we assume and empirically validate that adversarial examples at a flat local region tend to have good transferability by introducing a penalized gradient norm to the original loss function. Since directly optimizing the gradient regularization norm is computationally expensive and intractable for generating adversarial examples, we propose an approximation optimization method to simplify the gradient update of the objective function. Specifically, we randomly sample an example and adopt the first-order gradient to approximate the second-order Hessian matrix, which makes computing more efficient by interpolating two Jacobian matrices. Meanwhile, in order to obtain a more stable gradient direction, we randomly sample multiple examples and average the gradients of these examples to reduce the variance due to random sampling during the iterative process. Extensive experimental results on the ImageNet-compatible dataset show that the proposed method can generate adversarial examples at flat local regions, and significantly improve the adversarial transferability on either normally trained models or adversarially trained models than the state-of-the-art attacks.

翻译：基于迁移的攻击利用在替代模型上生成的对抗样本来攻击各类模型，使其在物理世界中具有适用性，并引起越来越多的关注。近年来，从不同角度提升对抗迁移性的各类对抗攻击方法不断涌现。受平坦局部最小值与良好泛化性相关的启发，本文通过向原始损失函数引入惩罚梯度范数，假设并实证验证了处于平坦局部区域的对抗样本往往具有更好的迁移性。由于直接优化梯度正则化范数在对抗样本生成中计算成本高且难以处理，我们提出了一种近似优化方法以简化目标函数的梯度更新。具体而言，我们随机采样一个样本，并利用一阶梯度近似二阶海森矩阵，通过插值两个雅可比矩阵提高计算效率。同时，为获得更稳定的梯度方向，我们随机采样多个样本并对这些样本的梯度取平均，以降低迭代过程中随机采样带来的方差。在ImageNet兼容数据集上的大量实验结果表明，所提方法能够在平坦局部区域生成对抗样本，并显著提升对抗迁移性，无论是对正常训练模型还是对抗训练模型，其效果均优于现有最优攻击方法。