Deep neural networks are vulnerable to adversarial examples, dictating the imperativeness to test the model's robustness before deployment. Transfer-based attackers craft adversarial examples against surrogate models and transfer them to victim models deployed in the black-box situation. To enhance the adversarial transferability, structure-based attackers adjust the backpropagation path to avoid the attack from overfitting the surrogate model. However, existing structure-based attackers fail to explore the convolution module in CNNs and modify the backpropagation graph heuristically, leading to limited effectiveness. In this paper, we propose backPropagation pAth Search (PAS), solving the aforementioned two problems. We first propose SkipConv to adjust the backpropagation path of convolution by structural reparameterization. To overcome the drawback of heuristically designed backpropagation paths, we further construct a DAG-based search space, utilize one-step approximation for path evaluation and employ Bayesian Optimization to search for the optimal path. We conduct comprehensive experiments in a wide range of transfer settings, showing that PAS improves the attack success rate by a huge margin for both normally trained and defense models.

翻译：深度神经网络易受对抗样本攻击，这要求模型在部署前必须进行鲁棒性测试。基于迁移的攻击者针对替代模型生成对抗样本，并将其迁移至黑盒场景下的受害者模型。为增强对抗迁移性，基于结构的攻击者通过调整反向传播路径，避免攻击对替代模型的过拟合。然而，现有基于结构的攻击者未能深入探索卷积神经网络中的卷积模块，且对反向传播图的修改依赖启发式方法，导致效果有限。本文提出反向传播路径搜索（PAS），以解决上述两个问题。我们首先设计SkipConv，通过结构重参数化调整卷积的反向传播路径；为克服启发式设计的不足，进一步构建基于有向无环图的搜索空间，采用单步近似进行路径评估，并利用贝叶斯优化搜索最优路径。我们在多种迁移场景下进行广泛实验，结果表明，PAS在常规训练模型与防御模型上均能显著提升攻击成功率。