A Hypothetical Defenses-Based Training Framework for Generating Transferable Adversarial Examples

Transfer-based attacks employ the proxy model to craft adversarial examples against the target model, which has seen significant advancements in black-box attacks. Conversely, adversarial defense strategies have been devised to mitigate such attacks. Unfortunately, current attack methods mainly rely on neural network training techniques, such as input transformation and gradient regularization, without harnessing defense mechanisms to enhance themselves. In light of this, we propose a novel training framework to enhance transfer-based attack methods with hypothetical defenses (TA-HD). Specifically, this framework enhances the generalization of generated adversarial examples against the target model by incorporating a hypothetical defense mechanism into the proxy model. To simplify implementation, we define this hypothetical defense as an input denoising network to validate the effectiveness of the proposed training framework. Simultaneously, we introduce an adversarial training strategy and design a pair of adversarial loss functions to optimize the parameters of the input denoising network. Extensive experiments demonstrate the superior performance of our proposed training framework, with our method improving the success rate of transfer-based attacks by up to 19.9%.