Exploring Non-target Knowledge for Improving Ensemble Universal Adversarial Attacks

The ensemble attack with average weights can be leveraged for increasing the transferability of universal adversarial perturbation (UAP) by training multiple Convolutional Neural Networks (CNNs). However, after analyzing Pearson Correlation Coefficients (PCCs) between logits and individual crafted UAP trained attack, we find that one CNN plays a dominant role during optimization. Consequently, this weighted strategy will weaken contributions other CNNs thus limit black-box CNNs. To deal bias issue, primary attempt is to leverage Kullback–Leibler (KL) divergence loss encourage joint contribution from different CNNs, which still insufficient. After decoupling KL into target-class part non-target-class part, main issue lies in non-target knowledge significantly suppressed due logit target class. In study, simply adopt only considers classes addressing issue. Besides, further boost transferability, incorporate min-max learning framework self-adjust each CNN. Experiments results validate considering achieve superior than original large margin, provide mutual benefit attacks. source code available at: https://github.com/WJJLL/ND-MM.