We know that adversarial examples can transfer from one model to another, but there is no guarantee on that. Suppose we have two target models, M and F, which work on the same image classification task. For a normal image x, we want to generate an adversarial example, x′ that can attack both models:
• If we can use FGSM method, how can we guarantee that x′ can attack two models instead of only one?
• Suppose we want to perform black box attack, meaning that we can query the model to get an output label but do not know the model architecture, trained weights, training data and not even the number of output labels etc. How can we generate x′ ?
• Going beyond models, if the system will first apply a set of unknown but commonly seen
image pre-processing (e.g., white balancing, enhancement), how can we effectively generate
adversarial examples in the black box setting?