Improving transferable adversarial attack via feature-momentum

Transferable adversarial attackusing adversarial perturbations made on known models to attack unknown modelshas made significant progress in recent years. The feature-level adversarial approach, in particular, is one of the most common solutions and can improve transferability by disrupting intermediate features, regardless of the task-specific loss objectives. Once the intermediate features are disrupted, the subsequent prediction will naturally go wrong. To accomplish this, the existing methods often start an attack by creating a guidance map on features that shows the importance level of each feature element, and then they use an iterative strategy to disrupt the features based on the guidance map. However, the drawback of existing methods is that the guidance map is always fixed in iterations, which can not consistently reflect the importance of feature elements, limiting the performance of the attack consequently. In this paper, we describe a new method called Feature-Momentum Adversarial Attack (FMAA) to enhance transferability. The key idea is that we estimate a guidance map dynamically at each iteration using a momentum-style approach to effectively disturb the features. Extensive experiments demonstrate that our method significantly outperforms other state-of-the-art methods by a large margin on different target models.