Frequency-domain augmentation and multi-scale feature alignment for improving transferability of adversarial examples

Transfer-based adversarial attack implies that the same adversarial example can fool Deep Neural Networks (DNNs) with different architectures. Model-related approaches train a new surrogate model in local to generate adversarial examples. However, because DNNs with different architectures focus on diverse features within the same data, adversarial examples generated by surrogate models frequently exhibit poor transferability when the surrogate and target models have significant architectural differences. In this paper, we propose a Two-Stage Generation Framework (TSGF) through frequency-domain augmentation and multi-scale feature alignment to address this issue. In the stage of surrogate model training, we enable the surrogate model to capture various features of data through detail and diversity enhancement. Detail enhancement increases the weight of details in clean examples by a frequency-domain augmentation module. Diversity enhancement incorporates slight adversarial examples into the training process to increase the diversity of clean examples. In the stage of adversarial generation, we perturb the distinctive features that different models focus on to improve transferability by a multi-scale feature alignment attack technique. Specifically, we design a loss function using the intermediate multi-layer features of the surrogate model to maximize the difference between the features of clean and adversarial examples. We compare TSGF with a combination of three closely related surrogate model training schemes and the most relevant adversarial attack methods. Results show that TSGF improves transferability across significantly different architectures. The implementation of TSGF is available at https://github.com/zhanghrswpu/TSGF.