Quantized Neural Networks (QNNs) receive increasing attention in resource-constrained scenarios because of their excellent generalization abilities, but their robustness under realistic black-box adversarial attacks has not been deeply studied, in which the adversary requires to improve the attack capability across target models with unknown quantization bitwidths. One major challenge is that adversarial examples transfer poorly against QNNs with unknown bitwidths because of the quantization shift and gradient misalignment issues. This paper proposes the Quantization Aware Attack to enhance the attack transferability by making the substitute model ``aware of'' the target of attacking models with multiple bitwidths. Specifically, we design a training objective with multiple bitwidths to align the gradient of the substitute model with the target model with different bitwidths and thus mitigate the negative effect of the above two issues. We conduct comprehensive evaluations by performing multiple transfer-based attacks on standard models and defense models with different architectures and quantization bitwidths. Experimental results show that QAA significantly improves the adversarial transferability of the state-of-the-art attacks by 3.4%-20.9% against normally trained models and 3.7%-13.4% against adversarially trained models on average.

翻译：量化神经网络（QNNs）因其出色的泛化能力在资源受限场景中受到日益关注，但其在真实黑盒对抗攻击下的鲁棒性尚未得到深入研究。此类攻击中，攻击者需要提升跨未知量化位宽目标模型的攻击能力。主要挑战在于，由于量化偏移和梯度失配问题，对抗样本在未知位宽的QNNs上的迁移性较差。本文提出量化感知攻击（Quantization Aware Attack），通过使替代模型"感知"攻击多比特位宽模型的目标来增强攻击迁移性。具体而言，我们设计了一个包含多比特位宽的训练目标，以对齐替代模型与不同位宽目标模型的梯度，从而缓解上述两个问题的负面影响。我们针对不同架构和量化位宽的标准模型与防御模型开展了多项基于迁移攻击的综合评估。实验结果表明，QAA使最先进攻击方法对正常训练模型的对抗迁移性平均提升3.4%-20.9%，对对抗训练模型平均提升3.7%-13.4%。