Promoting adversarial transferability with enhanced loss flatness

Carefully crafted small perturbations, when added to an image, can mislead the deep neural networks to give wrong outputs. Such mischievous images are called adversarial examples. Transfer-based black-box attacks use a surrogate white-box model to generate adversarial examples which can be transferred and attack black-box models with little known information. We propose to increase the transferability of adversarial examples by smoothing the geometric surface of loss function at the adversarial example point. By looking ahead the optimization path for a few steps, we define a future geometric vicinity using the integration of neighbourhood of those predicted data points. By sampling in this area and using the summation of gradients at those sampled data points for optimization, our method avoids local fluctuation of loss function. Experiments on ImageNet validation dataset show that our method outperforms state-of-the-art attacks by a large margin.