Transcend Adversarial Examples: Diversified Adversarial Attacks to Test Deep Learning Model

Existing optimized adversarial attacks rely on the ability to search for perturbation within lp norm while keeping maximized loss for highly non-convex loss functions. Random initialization perturbation and the steepest gradient direction strategy are efficient techniques to prevent falling into local optima but compromise the capability of diversity exploration. Therefore, we introduce the Diversity-Driven Adversarial Attack (DAA), which incorporates Output Diversity Strategy (ODS) and diverse initialization gradient direction into the optimized adversarial attack algorithm, aiming to refine the inherent properties of the adversarial examples (AEs). More specifically, we design a diversity-promoting regularizer to penalize the insignificant distance between initialization gradient directions based on the version of ODS. Extensive experiments demonstrate that DAA can efficiently improve existing coverage criteria without sacrificing the performance of attack success rate, which implies that DAA can implicitly explore more internal model logic of DL model.