通过可迁移性差距提升对抗可迁移性

doi:10.3969/j.issn.0255-8297.2025.05.007

Abstract

Abstract: Existing transfer-based attacks primarily focus on maximizing the empirical risk while ignoring the expected risk, which often leads to suboptimal transferability. To address this issue, we propose a transferability-gap-aware attack framework. First, we formulate the objective of transfer-based attacks as an expected risk and introduce the notion of the transferability gap, which quantifies the absolute discrepancy between the empirical risk and the expected risk. Our analysis reveals that when the transferability gap is small, maximizing the empirical risk becomes approximately equivalent to maximizing the expected risk, thereby leading to highly transferable adversarial examples. Based on this insight, the proposed method min-max the transferability gap while maximizing the empirical risk. Such min-max problem allows the attack algorithm with the strongest transferability to be found in the case of the hardest transferability. Experimental results show that the proposed method outperforms the recent state-of-the-art transfer-based attacks and achieves fast generation of highly transferable adversarial examples.

Key words: adversarial attack, transferability, expected risk, transferability gap

CLC Number:

WANG Jingwei, WANG Haihua, WU Hao, LUO Xiangyang, MA Bin. Improvement of Adversarial Transferability via Transferability Gap[J]. Journal of Applied Sciences, 2025, 43(5): 799-807.

References

[1] Szegedy C, Zaremba W, Sutskever I, et al. Intriguing properties of neural networks [DB/OL]. (2013-12-21) [2023-08-31]. https://arxiv.org/abs/1312.6199.
[2] Goodfellow I J, Shlens J, Szegedy C. Explaining and harnessing adversarial examples [DB/OL]. (2014-12-20) [2023-08-31]. https://arxiv.org/abs/1412.6572.
[3] Guo Y, Li Q, Chen H. Backpropagating linearly improves transferability of adversarial examples [C]//Advances in Neural Information Processing Systems, 2020, 33: 85-95.
[4] Papernot N, Mcdaniel P, Goodfellow I, et al. Practical black-box attacks against machine learning [C]//ACM on Asia Conference on Computer and Communications Security, 2017: 506- 519.
[5] Zhu Y, Sun J, Li Z. Rethinking adversarial transferability from a data distribution perspective [EB/OL]. (2022-01-29) [2023-08-31]. https://openreview.net/forum?id=gVRhIEajG1k.
[6] Zhu Y, Chen Y, Li X, et al. Toward understanding and boosting adversarial transferability from a distribution perspective [J]. IEEE Transactions on Image Processing, 2022, 31: 6487-6501.
[7] Liu Y P, Chen X Y, Liu C, et al. Delving into transferable adversarial examples and black-box attacks [EB/OL]. (2017-02-06) [2023-08-31]. https://openreview.net/forum?id=Sys6GJqxl.
[8] Tramèr F, Papernot N, Goodfellow I, et al. The space of transferable adversarial examples [DB/OL]. (2017-04-11) [2023-08-31]. https://arxiv.org/abs/1704.03453.
[9] Liu F, Zhang C, Zhang H. Towards transferable unrestricted adversarial examples with minimum changes [C]//IEEE Conference on Secure and Trustworthy Machine Learning, 2023: 327- 338.
[10] Dong Y, Liao F, Pang T, et al. Boosting adversarial attacks with momentum [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2018: 9185-9193.
[11] Kurakin A, Goodfellow I, Bengio S. Adversarial examples in the physical world [J]. Artificial Intelligence Safety and Security, 2018: 99-112.
[12] Polyak B T. Some methods of speeding up the convergence of iteration methods [J]. USSR Computational Mathematics and Mathematical Physics, 1964, 4(5): 1-17.
[13] Nesterov Y. A method for unconstrained convex minimization problem with the rate of convergence O (1/k2) [J]. Academy of Sciences of the USSR, 1983, 269(3): 543.
[14] Lin J, Song C, He K, et al. Nesterov accelerated gradient and scale invariance for adversarial attacks [EB/OL]. (2019-12-20) [2023-08-31]. https://openreview.net/forum?id=SJlHwkBYDH.
[15] Xie C, Zhang Z, Zhou Y, et al. Improving transferability of adversarial examples with input diversity [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019: 2730- 2739.
[16] Wang X, He K. Enhancing the transferability of adversarial attacks through variance tuning [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021: 1924-1933.
[17] Wang Z, Guo H, Zhang Z, et al. Feature importance-aware transferable adversarial attacks [C]//IEEE/CVF International Conference on Computer Vision, 2021: 7639-7648.
[18] Salzmann M. Learning transferable adversarial perturbations [C]//2021 Advances in Neural Information Processing Systems, 2021, 34: 13950-13962.
[19] Madry A, Makelov A, Schmidt L, et al. Towards deep learning models resistant to adversarial attacks [DB/OL]. (2017-06-19) [2023-08-31]. https://arxiv.org/abs/1706.06083.
[20] Girshick R. Fast R-CNN [C]//IEEE International Conference on Computer Vision, 2015: 1440- 1448.
[21] Goodfellow I, Pouget A J, Mirza M, et al. Generative adversarial nets [C]//2014 Advances in Neural Information Processing Systems, 2014, 27: 2672-2680.
[22] Von N J, Morgenstern O. Theory of games and economic behavior [M]//Princeton, NJ, The US: Princeton University Press, 1947.
[23] Griffin G, Holub A, Perona P. Caltech-256 object category dataset [EB/OL] (2007-03-10) [2023-08-31]. https://authors.library.caltech.edu/records/5sv1j-ytw97.
[24] Szegedy C, Vanhoucke V, Ioffe S, et al. Rethinking the inception architecture for computer vision [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2016: 2818-2826.
[25] Szegedy C, Ioffe S, Vanhoucke V, et al. Inception-v4, Inception-ResNet and the impact of residual connections on learning [C]//AAAI Conference on Artificial Intelligence, 2017, 31(1): 4278-4284.
[26] He K, Zhang X, Ren S, et al. Deep residual learning for image recognition [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2016: 770-778.
[27] Simonyan K, Zisserman A. Very deep convolutional networks for large-scale image recognition [DB/OL]. (2014-09-04) [2023-08-31]. https://arxiv.org/abs/1409.1556.
[28] Liao F, Liang M, Dong Y, et al. Defense against adversarial attacks using high-level representation guided denoiser [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2018: 1778-1787.
[29] Xie C, Wang J, Zhang Z, et al. Mitigating adversarial effects through randomization [EB/OL]. (2018-02-16) [2023-08-31]. https://openreview.net/forum?id=Sk9yuql0Z.
[30] Liu Z, Liu Q, Liu T, et al. Feature distillation: DNN-oriented JPEG compression against adversarial examples [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019: 860-868.
[31] Johnson J, Alahi A, Fei-Fei L. Perceptual losses for real-time style transfer and superresolution [C]//14th European Conference on Computer Vision, 2016: 694-711.
[32] Zhang J, Wu W, Huang J, et al. Improving adversarial transferability via neuron attributionbased attacks [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022: 14993-15002.
[33] Li Y, Bai S, Zhou Y, et al. Learning transferable adversarial examples via ghost networks [C]//AAAI Conference on Artificial Intelligence, 2020, 34(07): 11458-11465.
[34] Poursaeed O, Katsman I, Gao B, et al. Generative adversarial perturbations [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2018: 4422-4431.
[35] Naseer M M, Khan S H, Khan M H, et al. Cross-domain transferability of adversarial perturbations [C]//2019 Advances in Neural Information Processing Systems, 2019, 32.
[36] Zhang Q, Li X, Chen Y, et al. Beyond ImageNet attack: towards crafting adversarial examples for black-box domains [DB/OL]. (2022-01-27) [2023-08-31]. https://arxiv.org/abs/2201.11528.

Improvement of Adversarial Transferability via Transferability Gap

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics

Comments

[1]	HE Jiabei, ZHOU Juxiang, GAN Jianhou, WU Di, WEN Xiaoyu. Classroom Expression Classification Model Based on Multitask Learning [J]. Journal of Applied Sciences, 2024, 42(6): 947-961.
[2]	LI Sha, WANG Yongxiong, WANG Zhe, CHEN Xu, HE Jiaxin. Casting Defect Detection Based on Local and Global Features [J]. Journal of Applied Sciences, 2024, 42(5): 757-768.
[3]	HUA Yitan, HUANG Yingping, GUO Wenhao. Fusion of Point-Cloud and Image for Road Segmentation Using CNN and Transformer [J]. Journal of Applied Sciences, 2024, 42(4): 695-708.
[4]	CUI Shuaihua, YU Lei, HE Xi, XIONG Bangshu, OU Qiaofeng. A Large FOV Convergence Binocular Stereo Vision Calibration Method [J]. Journal of Applied Sciences, 2024, 42(2): 269-279.
[5]	XIONG Juan, ZHANG Sunjie, KAN Yaya, CHEN Jiahao. Remote Sensing Image Object Detection Based on CAFPN and Refinement Double-Head Decoupling [J]. Journal of Applied Sciences, 2023, 41(6): 989-1003.
[6]	WANG Hui, DING Boxu. Human Action Sequence Prediction of 3D Point Cloud Representation [J]. Journal of Applied Sciences, 2023, 41(3): 461-475.
[7]	XIAO Xiaotong, DING Jianwei, ZHANG Qi. Segmented Backdoor Defense Based on Local Gradient and Global Gradient Ascent [J]. Journal of Applied Sciences, 2023, 41(2): 218-227.
[8]	XU Zengmin, LU Guangjian, CHEN Junyan, CHEN Jinlong, DING Yong. Person Re-identification Algorithm Based on Channel Feature Aggregation [J]. Journal of Applied Sciences, 2023, 41(1): 107-120.
[9]	ZOU Qianying, CHEN Huiyang, LI Yongsheng, HU Liwen, WANG Xiaofang. Optimization Algorithm for Dark Edge Detection of Deep-Sea Image Based on Particle Swarm Optimization [J]. Journal of Applied Sciences, 2023, 41(1): 153-169.
[10]	ZHANG Yubin, CHEN Yaofeng, LE Juan, CHENG Qiyou. Circle Center Detection and Correction Method of Circular Markers in Helicopter Blade Image [J]. Journal of Applied Sciences, 2022, 40(2): 212-223.
[11]	ZHENG Zhiwen, GAN Jianhou, ZHOU Juxiang, OUYANG Zhaoxiang, LU Zeguang. Fine-Grained Image Classification Based on Inference Graph of Attention Network [J]. Journal of Applied Sciences, 2022, 40(1): 36-46.
[12]	WEI Mingjun, ZHOU Taiyu, JI Zhanlin, ZHANG Xinnan. Mask Wearing Detection in Complex Scenes Based on Mask-YOLO [J]. Journal of Applied Sciences, 2022, 40(1): 93-104.
[13]	LEI Qianhui, PAN Lili, SHAO Weizhi, HU Haipeng, HUANG Yao. Segmentation Model of COVID-19 Lesions Based on Triple Attention Mechanism [J]. Journal of Applied Sciences, 2022, 40(1): 105-115.
[14]	YU Qun, ZHANG Jianxin, WEI Xiaopeng, ZHANG Qiang. Cascaded Separable and Dilated Residual U-Net for Liver Tumor Segmentation [J]. Journal of Applied Sciences, 2021, 39(3): 378-377.
[15]	ZHANG Yubin, XIONG Bangshu, OU Qiaofeng, HUANG Jianping, CHEN Yaofeng. Circular Marker Detection of Under-Exposed Images of Helicopter Blades Based on YOLOv3 and Watershed [J]. Journal of Applied Sciences, 2020, 38(6): 906-915.