TransNoise: Transferable Universal Adversarial Noise for Adversarial Attack

Deep neural networks have been proven to be vulnerable to adversarial attacks. The early attacks mostly involved image-specific approaches that generated specific adversarial noises for each individual image. More recent studies have further demonstrated that neural networks can also be fooled by image-agnostic noises, called “universal adversarial perturbation”. However, the current universal adversarial attacks mainly focus on untargeted attacks and exhibit poor transferability. In this paper, we propose TransNoise, a new approach for implementing a transferable universal adversarial attack that involves modifying only a few pixels of the image. Our approach achieves state-of-art success rates in the universal adversarial attack domain for both targeted and nontarget settings. The experimental results demonstrate that our method outperforms the current methods from three aspects of universality: 1) by adding our universal adversarial noises to different images, the fooling rates of our method on the target model are almost all above 95%; 2) when no training data are available for the targeted model, our method is still able to implement targeted attacks; 3) the method transfers well across different models in the untargeted setting.