Deep neural networks have been shown vulnerable to adversarial attacks launched by adversarial examples. These examples’ transferability makes an attack in the real-world feasible, which poses a security threat to deep learning. Considering the limited representation capacity of a single deep model, the transferability of an adversarial example generated by a single attack model would cause the failure of attacking other different models. In this paper, we propose a new adversarial attack method, named EnsembleFool, which flexibly integrates multiple models to enhance adversarial examples’ transferability. Specifically, the model confidence concerning an input example reveals the risk of a successful attack. In an iterative attacking case, the result of a previous attack could guide us to enforce a new attack that possesses a higher probability of success. Regarding this, we design a series of integration strategies to improve the adversarial examples in each iteration. Extensive experiments on ImageNet indicate that the proposed method has superior attack performance and transferability than state-of-the-art methods.

事实证明，深度神经网络容易受到对抗性实例发起的对抗性攻击。这些示例的可移植性使在现实世界中进行攻击成为可能，这对深度学习构成了安全威胁。考虑到单个深度模型的有限表示能力，单个攻击模型生成的对抗示例的可传递性将导致攻击其他不同模型的失败。在本文中，我们提出了一种新的对抗性攻击方法EnsembleFool，该方法可以灵活地集成多个模型以增强对抗性示例的可传递性。具体而言，有关输入示例的模型置信度揭示了成功攻击的风险。在反复攻击的情况下，先前攻击的结果可能会指导我们实施具有较高成功概率的新攻击。对此，我们设计了一系列集成策略来改进每次迭代中的对抗性示例。在ImageNet上进行的大量实验表明，与最新技术相比，该方法具有更好的攻击性能和可传递性。