Enhancing Targeted Attack Transferability via Diversified Weight Pruning

Abstract

Malicious attackers generate adversarial instances by introducing imperceptible perturbations into data. Even in the black-box setting where model details are concealed, attackers still exploit networks with cross-model transferability. Despite the notable success of untargeted attacks, achieving targeted attack transferability remains a challenging endeavor. Recent investigations have demonstrated the efficacy of ensemble-based techniques. However, utilizing additional models to carry out ensemble attacks brings extra costs. To reduce the number of white-box models required, model augmentation methods augment the given network to produce a variant of diverse models, contributing useful gradients for attack. In this work, we propose Diversified Weight Pruning (DWP) as an innovative model augmentation technique specifically designed to facilitate the generation of transferable targeted attacks. In contrast to prior techniques, DWP preserves essential connections while simultaneously ensuring diversity among the pruned models, both of which are identified as pivotal factors for targeted transferability. DWP is shown effective with experiments on ImageNet under challenging conditions, with enhancements of up to 10.1%, 6.6%, and 7.0% across adversarially trained models, Non-CNN architectures, and Google Cloud Vision respectively.