Recent research has shown that adversarial samples are highly transferable and can be used to attack other unknown black-box Deep Neural Networks (DNNs). To improve the transferability of adversarial samples, several feature-based adversarial attack methods have been proposed to disrupt neuron activation in the middle layers. However, current state-of-the-art feature-based attack methods typically require additional computation costs for estimating the importance of neurons. To address this challenge, we propose a Singular Value Decomposition (SVD)-based feature-level attack method. Our approach is inspired by the discovery that eigenvectors associated with the larger singular values decomposed from the middle layer features exhibit superior generalization and attention properties. Specifically, we conduct the attack by retaining the dominant decomposed feature that corresponds to the largest singular value (i.e., Rank-1 decomposed feature) for computing the output logits before the final softmax. These logits are later integrated with the original logits to optimize adversarial examples. Our extensive experimental results verify the effectiveness of our proposed method, which can be easily integrated into various baselines to significantly enhance the transferability of adversarial samples for disturbing normally trained CNNs and advanced defense strategies. The source code is available at Link.

中文翻译：

---

通过 Logits 与主导分解特征的混合来提高对抗性可传递性


最近的研究表明，对抗性样本具有高度可转移性，可用于攻击其他未知的黑盒深度神经网络 （DNN）。为了提高对抗样本的可转移性，已经提出了几种基于特征的对抗攻击方法来破坏中间层的神经元激活。然而，当前最先进的基于特征的攻击方法通常需要额外的计算成本来估计神经元的重要性。为了应对这一挑战，我们提出了一种基于奇异值分解 （SVD） 的特征级攻击方法。我们的方法受到以下发现的启发，即与从中间层特征分解的较大奇异值相关的特征向量表现出卓越的泛化和注意力特性。具体来说，我们通过保留对应于最大奇异值（即 Rank-1 分解特征）的主要分解特征来进行攻击，以计算最终 softmax 之前的输出 logits。这些 Logit 稍后与原始 Logit 集成，以优化对抗性示例。我们广泛的实验结果验证了我们提出的方法的有效性，该方法可以很容易地集成到各种基线中，以显着增强对抗样本的可转移性，以干扰正常训练的 CNN 和先进的防御策略。源代码可在 Link 上获得。