Skip to main content
SpringerLink
Log in

LGV: Boosting Adversarial Example Transferability from Large Geometric Vicinity

  • Conference paper
  • First Online:
Computer Vision – ECCV 2022 (ECCV 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13664))

Included in the following conference series:

Abstract

We propose transferability from Large Geometric Vicinity (LGV), a new technique to increase the transferability of black-box adversarial attacks. LGV starts from a pretrained surrogate model and collects multiple weight sets from a few additional training epochs with a constant and high learning rate. LGV exploits two geometric properties that we relate to transferability. First, models that belong to a wider weight optimum are better surrogates. Second, we identify a subspace able to generate an effective surrogate ensemble among this wider optimum. Through extensive experiments, we show that LGV alone outperforms all (combinations of) four established test-time transformations by 1.8 to 59.9% points. Our findings shed new light on the importance of the geometry of the weight space to explain the transferability of adversarial examples.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/Framartin/lgv-geometric-transferability.

  2. 2.

    As [12] we use the PCA implementation of sklearn [22], but here we select the full SVD solver instead of randomized SVD to keep all the singular vectors.

References

  1. Ashukha, A., Lyzhov, A., Molchanov, D., Vetrov, D.: Pitfalls of in-domain uncertainty estimation and ensembling in deep learning (2020). http://arxiv.org/abs/2002.06470

  2. Biggio, B., et al.: Evasion attacks against machine learning at test time. In: Lecture Notes in Computer Science, vol. 8190 LNAI, pp. 387–402 (2013). https://doi.org/10.1007/978-3-642-40994-3_25

  3. Charles, Z., Rosenberg, H., Papailiopoulos, D.: A geometric perspective on the transferability of adversarial directions. In: AISTATS 2019 (2020). http://arxiv.org/abs/1811.03531

  4. Dargan, S., Kumar, M., Ayyagari, M.R., Kumar, G.: A survey of deep learning and its applications: a new paradigm to machine learning. Arch. Comput. Methods Eng. 27(4), 1071–1092 (2019)

    Article  MathSciNet  Google Scholar 

  5. Dong, Y., et al.: Boosting adversarial attacks with momentum. In: CVPR, pp. 9185–9193 (2018). https://doi.org/10.1109/CVPR.2018.00957

  6. Eykholt, K., et al.: Robust physical-world attacks on deep learning models (2017). https://doi.org/10.48550/arxiv.1707.08945

  7. Foret, P., Kleiner Google Research, A., Mobahi Google Research, H., Neyshabur Blueshift, B.: Sharpness-aware minimization for efficiently improving generalization (2020). http://arxiv.org/abs/2010.01412v3

  8. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples (2014)

    Google Scholar 

  9. Gubri, M., Cordy, M., Papadakis, M., Traon, Y.L.: Efficient and transferable adversarial examples from Bayesian neural networks. UAI 2022 (2022). http://arxiv.org/abs/2011.05074

  10. Gur-Ari, G., Roberts, D.A., Dyer, E.: Gradient descent happens in a tiny subspace (2018). http://arxiv.org/abs/1812.04754

  11. Hochreiter, S., Schmidhuber, J.: Flat minima. Neural Comput. 9(1), 1–42 (1997). https://doi.org/10.1162/NECO.1997.9.1.1

    Article  MATH  Google Scholar 

  12. Izmailov, P., Maddox, W.J., Kirichenko, P., Garipov, T., Vetrov, D., Wilson, A.G.: Subspace inference for Bayesian deep learning. In: UAI 2019 (2019). http://arxiv.org/abs/1907.07504

  13. Izmailov, P., Podoprikhin, D., Garipov, T., Vetrov, D., Wilson, A.G.: Averaging weights leads to wider optima and better generalization. In: 34th Conference on Uncertainty in Artificial Intelligence 2018, UAI 2018, vol. 2, pp. 876–885. Association For Uncertainty in Artificial Intelligence (AUAI) (2018). http://arxiv.org/abs/1803.05407

  14. Keskar, N.S., Nocedal, J., Tang, P.T.P., Mudigere, D., Smelyanskiy, M.: On large-batch training for deep learning: generalization gap and sharp minima. In: ICLR 2017 (2016). http://arxiv.org/abs/1609.04836v2

  15. Kurakin, A., Goodfellow, I.J., Bengio, S.: Adversarial examples in the physical world. In: 5th International Conference on Learning Representations, ICLR 2017 - Workshop Track Proceedings (2017). http://arxiv.org/abs/1607.02533

  16. Li, C., Farkhoor, H., Liu, R., Yosinski, J.: Measuring the intrinsic dimension of objective landscapes. In: 6th International Conference on Learning Representations, ICLR 2018 - Conference Track Proceedings (2018). http://arxiv.org/abs/1804.08838v1

  17. Li, Y., Bai, S., Zhou, Y., Xie, C., Zhang, Z., Yuille, A.: Learning transferable adversarial examples via ghost networks. In: AAAI 34(07), pp. 11458–11465 (2018). https://doi.org/10.1609/aaai.v34i07.6810, http://arxiv.org/abs/1812.03413

  18. Maddox, W.J., Garipov, T., Izmailov, Vetrov, D., Wilson, A.G.: A simple baseline for Bayesian uncertainty in deep learning. In: NeurIPS, vol. 32 (2019). http://arxiv.org/abs/1902.02476

  19. Mandt, S., Hof Fman, M.D., Blei, D.M.: Stochastic gradient descent as approximate Bayesian inference. J. Mach. Learn. Res. 18, 1–35 (2017). http://arxiv.org/abs/1704.04289v2

  20. Papernot, N., McDaniel, P., Goodfellow, I.: Transferability in machine learning: from phenomena to black-box attacks using adversarial samples (2016). http://arxiv.org/abs/1605.07277

  21. Paszke, A., et al.: PyTorch: an imperative style, high-performance deep learning library. In: NIPS, pp. 8024–8035 (2019). http://papers.neurips.cc/paper/9015-pytorch-an-imperative-style-high-performance-deep-learning-library.pdf

  22. Pedregosa, F., et al.: Scikit-learn: machine learning in python. J. Mach. Learn. Res. 12, 2825–2830 (2011)

    MathSciNet  MATH  Google Scholar 

  23. Sharif, M., Bhagavatula, S., Bauer, L., Reiter, M.K.: A general framework for adversarial examples with objectives. ACM Trans. Priv. Secur. 22(3), 30 (2017). https://doi.org/10.1145/3317611

    Article  Google Scholar 

  24. Szegedy, C., et al.: Intriguing properties of neural networks (2013). http://arxiv.org/abs/1312.6199

  25. Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I., Boneh, D., McDaniel, P.: Ensemble adversarial training: Attacks and defenses. In: 6th International Conference on Learning Representations, ICLR 2018 - Conference Track Proceedings (2018). http://arxiv.org/abs/1705.07204

  26. Tramèr, F., Papernot, N., Goodfellow, I., Boneh, D., McDaniel, P.: The space of transferable adversarial examples (2017). http://arxiv.org/abs/1704.03453

  27. Wu, D., Wang, Y., Xia, S.T., Bailey, J., Ma, X.: Skip connections matter: on the transferability of adversarial examples generated with ResNets. In: ICLR (2020). http://arxiv.org/abs/2002.05990

  28. Wu, D., Xia, S.T., Wang, Y.: Adversarial weight perturbation helps robust generalization. In: Advances in Neural Information Processing Systems. Neural information processing systems foundation (2020). http://arxiv.org/abs/2004.05884v2

  29. Xie, C., et al.: Improving transferability of adversarial examples with input diversity. In: Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition, vol. 2019-June, pp. 2725–2734 (2019). https://doi.org/10.1109/CVPR.2019.00284

  30. Xu, K., et al.: Evading real-time person detectors by adversarial T-shirt (2019). http://arxiv.org/abs/1910.11099

  31. Yao, Z., Gholami, A., Keutzer, K., Mahoney, M.W.: PyHessian: neural networks through the lens of the Hessian. Big Data 2020, pp. 581–590 (2019). https://doi.org/10.1109/BigData50022.2020.9378171

  32. Zhang, S., Reid, I., Pérez, G.V., Louis, A.: Why flatness does and does not correlate with generalization for deep neural networks (2021). http://arxiv.org/abs/2103.06219

Download references

Acknowledgements

This work is supported by the Luxembourg National Research Funds (FNR) through CORE project C18/IS/12669767/STELLAR/LeTraon.

Author information

Authors and Affiliations

  1. Interdisciplinary Centre for Security, Reliability and Trust (SnT), University of Luxembourg, Luxembourg, Luxembourg

    Martin Gubri, Maxime Cordy, Mike Papadakis & Yves Le Traon

  2. University of California, Berkeley, CA, USA

    Koushik Sen

Authors
  1. Martin Gubri
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Maxime Cordy
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mike Papadakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yves Le Traon
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Koushik Sen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Martin Gubri .

Editor information

Editors and Affiliations

  1. Tel Aviv University, Tel Aviv, Israel

    Shai Avidan

  2. University College London, London, UK

    Gabriel Brostow

  3. Google AI, Accra, Ghana

    Moustapha Cissé

  4. University of Catania, Catania, Italy

    Giovanni Maria Farinella

  5. Facebook (United States), Menlo Park, CA, USA

    Tal Hassner

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (pdf 1385 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gubri, M., Cordy, M., Papadakis, M., Traon, Y.L., Sen, K. (2022). LGV: Boosting Adversarial Example Transferability from Large Geometric Vicinity. In: Avidan, S., Brostow, G., Cissé, M., Farinella, G.M., Hassner, T. (eds) Computer Vision – ECCV 2022. ECCV 2022. Lecture Notes in Computer Science, vol 13664. Springer, Cham. https://doi.org/10.1007/978-3-031-19772-7_35

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-19772-7_35

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-19771-0

  • Online ISBN: 978-3-031-19772-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation