ML Security PapersIGAff: Benchmarking Adversarial Iterative and Genetic Affine Algorithms on Deep Neural Networks
Sebastian-Vasile Echim 1, Andrei-Alexandru Preda 1, Dumitru-Clementin Cercel 1, Florin Pop 1,2
1 National University of Science and Technology POLITEHNICA Bucharest
2 National Institute for Research & Development in Informatics
Published on arXiv
2509.06459
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
ATA and AGA achieve up to 8.82% accuracy improvement over comparable black-box methods (Pixle, Square Attack) on image classification tasks across CNN and transformer architectures.
ATA/AGA (Affine Transformation Attack / Affine Genetic Attack)
Novel technique introduced
Deep neural networks currently dominate many fields of the artificial intelligence landscape, achieving state-of-the-art results on numerous tasks while remaining hard to understand and exhibiting surprising weaknesses. An active area of research focuses on adversarial attacks, which aim to generate inputs that uncover these weaknesses. However, this proves challenging, especially in the black-box scenario where model details are inaccessible. This paper explores in detail the impact of such adversarial algorithms on ResNet-18, DenseNet-121, Swin Transformer V2, and Vision Transformer network architectures. Leveraging the Tiny ImageNet, Caltech-256, and Food-101 datasets, we benchmark two novel black-box iterative adversarial algorithms based on affine transformations and genetic algorithms: 1) Affine Transformation Attack (ATA), an iterative algorithm maximizing our attack score function using random affine transformations, and 2) Affine Genetic Attack (AGA), a genetic algorithm that involves random noise and affine transformations. We evaluate the performance of the models in the algorithm parameter variation, data augmentation, and global and targeted attack configurations. We also compare our algorithms with two black-box adversarial algorithms, Pixle and Square Attack. Our experiments yield better results on the image classification task than similar methods in the literature, achieving an accuracy improvement of up to 8.82%. We provide noteworthy insights into successful adversarial defenses and attacks at both global and targeted levels, and demonstrate adversarial robustness through algorithm parameter variation.
Key Contributions
- Two novel black-box adversarial attack algorithms: ATA (iterative affine transformation-based) and AGA (genetic algorithm combining affine transformations and random noise)
- Comprehensive benchmarking across ResNet-18, DenseNet-121, Swin Transformer V2, and ViT on Tiny ImageNet, Caltech-256, and Food-101 with parameter variation analysis
- Evaluation in untargeted global, targeted, data augmentation, and adversarial defense configurations, outperforming Pixle and Square Attack by up to 8.82% accuracy
🛡️ Threat Analysis
Proposes ATA and AGA, two novel black-box adversarial input manipulation attacks that apply affine transformations and genetic search to craft misclassification-inducing inputs at inference time, evaluated in both untargeted and targeted attack configurations.