Is FGSM Optimal or Necessary for L∞ Adversarial Attack?

Abstract

Due to its simplicity and efficiency, the fast gradient sign method (FGSM) has been widely used in L∞ norm-bounded adversarial attack. Its iterative variant I-FGSM has become the de facto standard practice of performing a strong attack but suffers from a low transfer rate. Momentum-based iterative FGSM, i.e. MI-FGSM, is the first technique for boosting the transferability of I-FGSM. In this work, we identify two drawbacks of MI-FGSM: inducing higher average pixel discrepancy (APD) to the image as well as making the current iteration update overly dependent on the historical gradients. They increase the perturbation visibility as well as limit the potential of even higher transferability. We revisit why momentum improves the transferability and attribute it to alleviating the unreliable sign directions for the small gradient values. This unreliable sign direction problem occurs because the sign operation in FGSM maps all positive and negative gradient values to 1 and -1, respectively while ignoring their actual values. To this end, we propose a new momentum-free iterative method that processes the gradient with a generalizable Cut&Norm operation instead of a sign operation. In a wide range of attack setups, our approach consistently outperforms existing MI-FGSM by a large margin for white-box and black-box attacks in both non-targeted and targeted settings.