Dynamic Parameter Optimization for Highly Transferable Transformation-Based Attacks

Despite their wide application, the vulnerabilities of deep neural networks raise societal concerns. Among them, transformation-based attacks have demonstrated notable success in transfer attacks. However, existing attacks suffer from blind spots in parameter optimization, limiting their full potential. Specifically, (1) prior work generally considers low-iteration settings, yet attacks perform quite differently at higher iterations, so characterizing overall performance based only on low-iteration results is misleading. (2) Existing attacks use uniform parameters for different surrogate models, iterations, and tasks, which greatly impairs transferability. (3) Traditional transformation parameter optimization relies on grid search. For n parameters with m steps each, the complexity is O(mn). Large computational overhead limits further optimization of parameters. To address these limitations, we conduct an empirical study with various transformations as baselines, revealing three dynamic patterns of transferability with respect to parameter strength. We further propose a novel Concentric Decay Model (CDM) to effectively explain these patterns. Building on these insights, we propose an efficient Dynamic Parameter Optimization (DPO) based on the rise-then-fall pattern, reducing the complexity to O(nlogm). Comprehensive experiments on existing transformation-based attacks across different surrogate models, iterations, and tasks demonstrate that our DPO can significantly improve transferability.

Key Contributions

Empirical study revealing three dynamic patterns of adversarial transferability with respect to transformation parameter strength across iterations, surrogate models, and tasks — showing low-iteration evaluations are misleading
Concentric Decay Model (CDM) that theoretically explains observed transferability patterns using KL-divergence-based plausible model density around the surrogate
Dynamic Parameter Optimization (DPO) that reduces parameter search complexity from O(mn) to O(n log₂m) while substantially improving transfer attack success rates across existing attacks (Admix, SSIM, STM, BSR)

🛡️ Threat Analysis

Input Manipulation Attack

Proposes Dynamic Parameter Optimization (DPO) to improve transformation-based adversarial attacks — these are input manipulation attacks crafting adversarial examples that transfer across black-box target models at inference time, directly improving evasion attack success rates.

Details

Domains

vision

Model Types

cnntransformer

Threat Tags

black_boxgrey_boxinference_timeuntargetedtargeteddigital

Datasets

NeurIPS'17 adversarial dataset

Applications

Key Contributions

🛡️ Threat Analysis

Details

Similar Papers

AIM: Additional Image Guided Generation of Transferable Adversarial Attacks

Boosting Adversarial Transferability via Ensemble Non-Attention

IGAff: Benchmarking Adversarial Iterative and Genetic Affine Algorithms on Deep Neural Networks

SEGA: A Transferable Signed Ensemble Gaussian Black-Box Attack against No-Reference Image Quality Assessment Models

Boosting Adversarial Transferability with Spatial Adversarial Alignment

MS-GAGA: Metric-Selective Guided Adversarial Generation Attack

Towards a 3D Transfer-based Black-box Attack via Critical Feature Guidance

Boosting Adversarial Transferability via Residual Perturbation Attack