Improving the transferability of adversarial samples with channel switching

Deep neural network models are vulnerable to interference from adversarial samples. An alarming issue is that adversarial samples are often transferable, implying that an adversarial sample generated by one model can attack other models. In a black-box setting, the usual approach for attacking is to use the white-box model as a proxy model to generate adversarial samples and use the generated samples to deceive the black-box model. However, these methods have a higher success rate for white-box models and exhibit weak transferability for black-box models. Various methods have been proposed to improve the transferability among which the input transformation-based methods are considered the most effective. However, the potential of a single input image has not been fully exploited in these techniques. In this study, we propose a simple channel switching method called CS-MI-FGSM to obtain the variants of the input image and mix them during momentum updating. Experiments on the ImageNet and the NeurIPS 2017 adversarial competition datasets demonstrated that the proposed method can effectively improve the transferability of adversarial samples.