Deep neural networks are vulnerable to adversarial examples, which attach human invisible perturbations to benign inputs. Simultaneously, adversarial examples exhibit transferability under different models, which makes practical black-box attacks feasible. However, existing methods are still incapable of achieving desired transfer attack performance. In this work, from the perspective of gradient optimization and consistency, we analyze and discover the gradient elimination phenomenon as well as the local momentum optimum dilemma. To tackle these issues, we propose Global Momentum Initialization (GI) to suppress gradient elimination and help search for the global optimum. Specifically, we perform gradient pre-convergence before the attack and carry out a global search during the pre-convergence stage. Our method can be easily combined with almost all existing transfer methods, and we improve the success rate of transfer attacks significantly by an average of 6.4% under various advanced defense mechanisms compared to state-of-the-art methods. Eventually, we achieve an attack success rate of 95.4%, fully illustrating the insecurity of existing defense mechanisms. Code is available at $\href{https://github.com/Omenzychen/Global-Momentum-Initialization}{this\ URL}$.

翻译：深度神经网络易受对抗样本攻击，此类攻击在良性输入上添加人类不可察觉的扰动。同时，对抗样本在不同模型下展现出可迁移性，这使得实际中的黑盒攻击成为可能。然而，现有方法仍难以实现理想的迁移攻击性能。本文从梯度优化和一致性的角度分析并发现了梯度消除现象以及局部动量最优困境。为解决这些问题，我们提出全局动量初始化（GI）方法，用于抑制梯度消除并协助搜索全局最优解。具体而言，我们在攻击前执行梯度预收敛，并在预收敛阶段进行全局搜索。本方法可轻松与几乎所有现有迁移方法结合，相比现有最先进方法，在多种高级防御机制下，我们将迁移攻击的成功率平均提升了6.4%。最终，我们实现了95.4%的攻击成功率，充分揭示了现有防御机制的不安全性。代码可从$\href{https://github.com/Omenzychen/Global-Momentum-Initialization}{此\ URL}$获取。