Rethinking the optimization objective for transferable adversarial examples from a fuzzy perspective

Transferable adversarial examples, which are generated by transfer-based attacks, have strong adaptability for attacking a completely unfamiliar victim model without knowing its architecture, parameters and outputs. While current transfer-based attacks easily defeat surrogate model with minor perturbations, they struggle to transfer these perturbations to unfamiliar victim models. To characterize these untransferable adversarial examples, which consist of natural examples and perturbations, we define the concept of fuzzy domain. Here, the adversarial examples that do not fall inside the fuzzy domain will successfully attack the victim model. To assist the adversarial examples in escaping from the fuzzy domain, we propose a fuzzy optimization-based transferable attack (FOTA) to maximize both the original cross-entropy (CE) loss and the newly proposed membership functions. The proposed membership functions are positively correlated to the probability of falling outside the fuzzy domain. Furthermore, to maximize the transferability of adversarial examples, we present Adaptive FOTA (Ada-FOTA), which dynamically updates the adversarial examples until the membership functions converge, rather than fixing the number of update iterations in advance in the current attacks. When the membership functions converge to 1, the maximum probability that adversarial examples fall outside the fuzzy domain can be achieved. The empirical results on ImageNet dataset show that, for minor perturbations, our FOTA can improve the transferability of adversarial examples by 5.4% on attacking five naturally-trained victim models, and Ada-FOTA can further increase the transferability of adversarial examples by an additional 13.8% in comparison with current transfer-based attacks. Code is available at https://github.com/HaloMoto/FOTA.