Boosting the Transferability of Adversarial Examples with More Efficient Data Augmentation

Abstract

Abstract Currently, Deep Neural Networks has achieved excellent results on many tasks. But recent studies have shown that these networks are easily influenced by adversarial examples, which are artificially crafted by adding perturbation to original image. Moreover, most of the models to which we can access are black-box, we don’t know the internal structure and parameters of the model. Thus, it is more practical and more challenging to study how to attack these models. In this article, we propose a cam(class activation map)-guided data augmentation attack method, which can improve the transferability of adversarial examples. Specifically, first use the trained network to get the class activation maps for an input image, then binarize the cam to get the mask, finally implement the data augmentation attack method on the masked area of the image. Experiments based on ImageNet prove that our proposed method can generate more transferable adversarial examples, and the attack success rates of our method have a certain improvement compared with the latest methods.