Towards Assessing the Synthetic-to-Measured Adversarial Vulnerability of SAR ATR

TL;DR

This work addresses the pragmatic risk of adversarial perturbations in SAR ATR by examining a synthetic-to-measured (S2M) transfer setting, where perturbations are crafted from synthetic data to attack victim models trained on measured data. It introduces the Transferability Estimation Attack (TEA), a two-stage, estimator-guided framework that blind-estimates S2M transferability using substitute data and gradient similarity, then improves the surrogate model via Fine-Tuning and Architecture Search to align with the target. Across extensive experiments on the SAMPLE dataset, TEA significantly boosts S2M transferability, narrowing the gap toward M2M performance and demonstrating compatibility with multiple attack types and physical-adversarial setups. The results underscore the need to consider S2M scenarios in robustness evaluation and offer a practical toolkit for assessing and strengthening SAR ATR systems against transferable adversarial threats.

Abstract

Recently, there has been increasing concern about the vulnerability of deep neural network (DNN)-based synthetic aperture radar (SAR) automatic target recognition (ATR) to adversarial attacks, where a DNN could be easily deceived by clean input with imperceptible but aggressive perturbations. This paper studies the synthetic-to-measured (S2M) transfer setting, where an attacker generates adversarial perturbation based solely on synthetic data and transfers it against victim models trained with measured data. Compared with the current measured-to-measured (M2M) transfer setting, our approach does not need direct access to the victim model or the measured SAR data. We also propose the transferability estimation attack (TEA) to uncover the adversarial risks in this more challenging and practical scenario. The TEA makes full use of the limited similarity between the synthetic and measured data pairs for blind estimation and optimization of S2M transferability, leading to feasible surrogate model enhancement without mastering the victim model and data. Comprehensive evaluations based on the publicly available synthetic and measured paired labeled experiment (SAMPLE) dataset demonstrate that the TEA outperforms state-of-the-art methods and can significantly enhance various attack algorithms in computer vision and remote sensing applications. Codes and data are available at https://github.com/scenarri/S2M-TEA.

Figures (20)

• Figure 1: Comparison between S2M and M2M attack settings.
• Figure 2: Differences between the synthetic and measured data of the SAMPLE dataset: (Left) the mean value and standard deviation (Std.) and (Right) the paired instances with the lowest and highest root mean squared error.
• Figure 3: The average cosine similarity between gradient directions of the surrogate model (ResNet-18 and ConvNeXt) and eleven target models over 1345 synthetic-measured image pairs of the SAMPLE dataset in ascending order. The directions were calculated using projected gradient descent (PGD) attack madry2018towards, and the first positive index is labeled in each plot.
• Figure 4: A simple schematic diagram of our estimator from a feature distribution perspective: (a) The data projections and decision boundaries of the surrogate and target model, where $\bm{\delta}$ and $\bm{\delta}^{\ast}$ indicate the minimum perturbation strength for a successful attack of white-box and S2M transfer attacks, respectively. (b) Optimizing $\mathcal{L}_{\text{data}}$ provides a flatter surrogate decision boundary, as it may not always be effective in fitting the original distribution and neglects the intrinsic similarity. (c) Cooperation with $\mathcal{L}_{\text{Model}}$ to optimize the total estimation leads to a smoother boundary and a new surrogate that retains the original distribution.
• Figure 5: Process to construct the search space for AS showing a single layer as an example. Note that the figure shows the first derivatives for the ReLU function and the $\operatorname{Softplus}_{\beta}$ function.