DMFP: Dynamic multiscale feature perturbations for transferable adversarial attacks

The transferability of adversarial samples facilitates adversarial attacks for the evaluation of the robustness of deep learning models, in which mitigating overfitting is of central importance for improving the transferability of adversarial samples. Current methods use regularization approaches to improve transferability without considering the degree of fitting of the adversarial perturbation and prior multiscale information of the source model during optimization, failing to find a flat minimum and improve generalization. This results in mutual inhibition of the attack capability and transferability. Therefore, our objective is to introduce the degree of fitting of the adversarial perturbation to dynamically regularize the multiscale feature for a better tradeoff between attack capability and transferability. In this paper, we propose dynamic multiscale feature perturbations (DMFP). Specifically, we investigate the properties of legitimate and adversarial features through qualitative visualization and quantitative distance metrics and devise multiscale feature perturbations (MFP). A combination of multiscale information and feature significance can perturb the salient features of a sample. In addition, we analyze the regularization effect produced by dropout in feature-level attacks and propose dynamic features (DF) to mitigate overfitting and enhance the generalization of adversarial samples by introducing gradient information. The experimental results demonstrate that DMFP significantly enhances the transferability of existing attack methods and achieves better performance than state-of-the-art methods, i.e., improving the success rate by 3.8 % against normally trained models and 12.8 % against defense models.