Beyond Deceptive Flatness: Dual-Order Solution for Strengthening Adversarial Transferability

Transferable attacks generate adversarial examples on surrogate models to fool unknown victim models, posing real-world threats and growing research interest. Despite focusing on flat losses for transferable adversarial examples, recent studies still fall into suboptimal regions, especially the flat-yet-sharp areas, termed as deceptive flatness. In this paper, we introduce a novel black-box gradient-based transferable attack from a perspective of dual-order information. Specifically, we feasibly propose Adversarial Flatness (AF) to the deceptive flatness problem and a theoretical assurance for adversarial transferability. Based on this, using an efficient approximation of our objective, we instantiate our attack as Adversarial Flatness Attack (AFA), addressing the altered gradient sign issue. Additionally, to further improve the attack ability, we devise MonteCarlo Adversarial Sampling (MCAS) by enhancing the inner-loop sampling efficiency. The comprehensive results on ImageNet-compatible dataset demonstrate superiority over six baselines, generating adversarial examples in flatter regions and boosting transferability across model architectures. When tested on input transformation attacks or the Baidu Cloud API, our method outperforms baselines.

Key Contributions

• Identifies 'deceptive flatness' (flat-yet-sharp loss regions) as a failure mode of prior transferable attack methods and proposes Adversarial Flatness (AF) with theoretical transferability guarantees using dual-order (zeroth + first order) gradient information.
• Instantiates AF as the Adversarial Flatness Attack (AFA), an efficient approximation that resolves the altered gradient sign problem during iterative optimization.
• Proposes MonteCarlo Adversarial Sampling (MCAS) to diversify inner-loop sampling, further boosting attack transferability across architectures and on the Baidu Cloud API.

🛡️ Threat Analysis

Details

Similar Papers