On the Convergence of an Adaptive Momentum Method for Adversarial Attacks
DOI:
https://doi.org/10.1609/aaai.v38i13.29323Keywords:
ML: Optimization, CV: Adversarial Attacks & RobustnessAbstract
Adversarial examples are commonly created by solving a constrained optimization problem, typically using sign-based methods like Fast Gradient Sign Method (FGSM). These attacks can benefit from momentum with a constant parameter, such as Momentum Iterative FGSM (MI-FGSM), to enhance black-box transferability. However, the monotonic time-varying momentum parameter is required to guarantee convergence in theory, creating a theory-practice gap. Additionally, recent work shows that sign-based methods fail to converge to the optimum in several convex settings, exacerbating the issue. To address these concerns, we propose a novel method which incorporates both an innovative adaptive momentum parameter without monotonicity assumptions and an adaptive step-size scheme that replaces the sign operation. Furthermore, we derive a regret upper bound for general convex functions. Experiments on multiple models demonstrate the efficacy of our method in generating adversarial examples with human-imperceptible noise while achieving high attack success rates, indicating its superiority over previous adversarial example generation methods.
Downloads
Published
2024-03-24
How to Cite
Long, S., Tao, W., LI, S., Lei, J., & Zhang, J. (2024). On the Convergence of an Adaptive Momentum Method for Adversarial Attacks. Proceedings of the AAAI Conference on Artificial Intelligence, 38(13), 14132-14140. https://doi.org/10.1609/aaai.v38i13.29323
Issue
Section
AAAI Technical Track on Machine Learning IV
