ML Security PapersExploring Semantic-constrained Adversarial Example with Instruction Uncertainty Reduction
Jin Hu 1,2, Jiakai Wang 2, Linna Jing 1, Haolin Li 1, Haodong Liu 1, Haotong Qin 3, Aishan Liu 1, Ke Xu 1,2, Xianglong Liu 1,2
Published on arXiv
2510.22981
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
InSUR achieves 18.2% improvement in attack potency over Text2Adv with CLIP-score of 0.814 vs 0.605 baseline across 12 datasets, including first reference-free 3D semantic adversarial examples
InSUR (Instruction Uncertainty Reduction)
Novel technique introduced
Recently, semantically constrained adversarial examples (SemanticAE), which are directly generated from natural language instructions, have become a promising avenue for future research due to their flexible attacking forms. To generate SemanticAEs, current methods fall short of satisfactory attacking ability as the key underlying factors of semantic uncertainty in human instructions, such as referring diversity, descriptive incompleteness, and boundary ambiguity, have not been fully investigated. To tackle the issues, this paper develops a multi-dimensional instruction uncertainty reduction (InSUR) framework to generate more satisfactory SemanticAE, i.e., transferable, adaptive, and effective. Specifically, in the dimension of the sampling method, we propose the residual-driven attacking direction stabilization to alleviate the unstable adversarial optimization caused by the diversity of language references. By coarsely predicting the language-guided sampling process, the optimization process will be stabilized by the designed ResAdv-DDIM sampler, therefore releasing the transferable and robust adversarial capability of multi-step diffusion models. In task modeling, we propose the context-encoded attacking scenario constraint to supplement the missing knowledge from incomplete human instructions. Guidance masking and renderer integration are proposed to regulate the constraints of 2D/3D SemanticAE, activating stronger scenario-adapted attacks. Moreover, in the dimension of generator evaluation, we propose the semantic-abstracted attacking evaluation enhancement by clarifying the evaluation boundary, facilitating the development of more effective SemanticAE generators. Extensive experiments demonstrate the superiority of the transfer attack performance of InSUR. Moreover, we realize the reference-free generation of semantically constrained 3D adversarial examples for the first time.
Key Contributions
- ResAdv-DDIM sampler that stabilizes adversarial optimization over diffusion model sampling paths, improving transferability of semantic adversarial examples
- Context-encoded attacking scenario constraints using guidance masking and renderer integration to handle incomplete natural language instructions for 2D and 3D adversarial example generation
- First reference-free generation of semantically constrained 3D adversarial examples using language-guided 3D generation models
🛡️ Threat Analysis
The paper's primary contribution is a novel framework for generating adversarial examples (SemanticAE) that cause misclassification at inference time. Despite using natural language as specification and diffusion models as the generator, the adversarial artifacts are crafted visual inputs targeting image classifiers and commercial vision APIs — a classic adversarial example attack with a novel generation pipeline. The paper explicitly focuses on transferability, attack success rate, and evasion of vision models.