ML Security PapersDASH: A Meta-Attack Framework for Synthesizing Effective and Stealthy Adversarial Examples
Abdullah Al Nomaan Nafi 1, Habibur Rahaman 2, Zafaryab Haider 1, Tanzim Mahfuz 1, Fnu Suya 3, Swarup Bhunia 2, Prabuddha Chakraborty 1
Published on arXiv
2508.13309
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
DAASH achieves 20.63% higher attack success rate than AdvAD on adversarially trained models while simultaneously improving perceptual quality (SSIM +11, LPIPS −0.015, FID −5.7)
DAASH
Novel technique introduced
Numerous techniques have been proposed for generating adversarial examples in white-box settings under strict Lp-norm constraints. However, such norm-bounded examples often fail to align well with human perception, and only recently have a few methods begun specifically exploring perceptually aligned adversarial examples. Moreover, it remains unclear whether insights from Lp-constrained attacks can be effectively leveraged to improve perceptual efficacy. In this paper, we introduce DAASH, a fully differentiable meta-attack framework that generates effective and perceptually aligned adversarial examples by strategically composing existing Lp-based attack methods. DAASH operates in a multi-stage fashion: at each stage, it aggregates candidate adversarial examples from multiple base attacks using learned, adaptive weights and propagates the result to the next stage. A novel meta-loss function guides this process by jointly minimizing misclassification loss and perceptual distortion, enabling the framework to dynamically modulate the contribution of each base attack throughout the stages. We evaluate DAASH on adversarially trained models across CIFAR-10, CIFAR-100, and ImageNet. Despite relying solely on Lp-constrained based methods, DAASH significantly outperforms state-of-the-art perceptual attacks such as AdvAD -- achieving higher attack success rates (e.g., 20.63\% improvement) and superior visual quality, as measured by SSIM, LPIPS, and FID (improvements $\approx$ of 11, 0.015, and 5.7, respectively). Furthermore, DAASH generalizes well to unseen defenses, making it a practical and strong baseline for evaluating robustness without requiring handcrafted adaptive attacks for each new defense.
Key Contributions
- Fully differentiable multi-stage meta-attack framework (DAASH) that aggregates candidate adversarial examples from multiple Lp-based base attacks using learned, adaptive per-stage weights
- Novel meta-loss function jointly minimizing misclassification loss and perceptual distortion (SSIM, LPIPS, FID), enabling dynamic modulation of base attack contributions
- Outperforms state-of-the-art perceptual attack AdvAD by 20.63% in attack success rate while improving visual quality, and generalizes to unseen defenses without requiring handcrafted adaptive attacks
🛡️ Threat Analysis
DAASH is a white-box adversarial attack framework that crafts inputs at inference time to cause misclassification. It composes multiple gradient-based Lp-constrained base attacks via learned adaptive weights and a novel meta-loss that jointly minimizes misclassification and perceptual distortion — directly targeting adversarial example generation.