Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Attacking Transformers with Feature Diversity Adversarial Perturbation

Chenxing Gao, Hang Zhou, Junqing Yu, YuTeng Ye, Jiale Cai, Junle Wang, Wei Yang

TL;DR

This work tackles ViT vulnerability to adversarial perturbations by introducing FDAP, a label-free white-box attack that accelerates feature-collapse by suppressing feature diversity—especially high-frequency content—across carefully selected middle ViT layers. FDAP defines a feature-diversity loss $J_{FD}$ using a diversity measure $r(z)$ and targets the norm-2 features in transformer blocks, supported by frequency analysis of MHSA, skip connections, and FFN. The authors demonstrate strong transferability to a broad set of models (ViTs, CNNs, MLPs) and across tasks (object detection, segmentation, pose, depth), with extensive ablations and analysis of attention eigenvalues and Grad-CAM behavior. These findings highlight the practical implications of feature-collapse dynamics for cross-model attacks and motivate future work on defense strategies against label-free, cross-domain adversarial perturbations.

Abstract

Understanding the mechanisms behind Vision Transformer (ViT), particularly its vulnerability to adversarial perturba tions, is crucial for addressing challenges in its real-world applications. Existing ViT adversarial attackers rely on la bels to calculate the gradient for perturbation, and exhibit low transferability to other structures and tasks. In this paper, we present a label-free white-box attack approach for ViT-based models that exhibits strong transferability to various black box models, including most ViT variants, CNNs, and MLPs, even for models developed for other modalities. Our inspira tion comes from the feature collapse phenomenon in ViTs, where the critical attention mechanism overly depends on the low-frequency component of features, causing the features in middle-to-end layers to become increasingly similar and eventually collapse. We propose the feature diversity attacker to naturally accelerate this process and achieve remarkable performance and transferability.

Attacking Transformers with Feature Diversity Adversarial Perturbation

TL;DR

This work tackles ViT vulnerability to adversarial perturbations by introducing FDAP, a label-free white-box attack that accelerates feature-collapse by suppressing feature diversity—especially high-frequency content—across carefully selected middle ViT layers. FDAP defines a feature-diversity loss using a diversity measure and targets the norm-2 features in transformer blocks, supported by frequency analysis of MHSA, skip connections, and FFN. The authors demonstrate strong transferability to a broad set of models (ViTs, CNNs, MLPs) and across tasks (object detection, segmentation, pose, depth), with extensive ablations and analysis of attention eigenvalues and Grad-CAM behavior. These findings highlight the practical implications of feature-collapse dynamics for cross-model attacks and motivate future work on defense strategies against label-free, cross-domain adversarial perturbations.

Abstract

Understanding the mechanisms behind Vision Transformer (ViT), particularly its vulnerability to adversarial perturba tions, is crucial for addressing challenges in its real-world applications. Existing ViT adversarial attackers rely on la bels to calculate the gradient for perturbation, and exhibit low transferability to other structures and tasks. In this paper, we present a label-free white-box attack approach for ViT-based models that exhibits strong transferability to various black box models, including most ViT variants, CNNs, and MLPs, even for models developed for other modalities. Our inspira tion comes from the feature collapse phenomenon in ViTs, where the critical attention mechanism overly depends on the low-frequency component of features, causing the features in middle-to-end layers to become increasingly similar and eventually collapse. We propose the feature diversity attacker to naturally accelerate this process and achieve remarkable performance and transferability.
Paper Structure (15 sections, 15 equations, 5 figures, 2 tables, 1 algorithm)

This paper contains 15 sections, 15 equations, 5 figures, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related work
  3. Methodology
  4. Feature Diversity Perturbation
  5. Attacking ViT with Feature Diversity
  6. Layers to Attack
  7. Rationality of Transferability
  8. Experiments
  9. Experimental Setup
  10. White-box Attack on ViTs
  11. Transferability to ViTs
  12. Transferability on CNNs and MLPs
  13. Cross-Task Transferabililty
  14. Ablation Study
  15. Conclusion

Figures (5)

  • Figure 1: Overview of Feature Diversity Adversarial Perturbation attack (FDAP). Our attack aims to reduce the feature diversity . The reduction of the feature diversity acts as the decrease of the high-frequency components in feature space while theoretically the attention matrix gradually convergences to a rank-1 matrix.
  • Figure 2: Frequency change due to different modules of a ViT model. The x-axis represents different modules of transformers blocks while the y-axis represents the the delta of the frequency. The light-purple, light-yellow, and blue columns respond to the MHSA, SC and FFN module respectively. The decrease of the value of y represents the low-pass filter.
  • Figure 3: Layer Selection with CKA analysis. More yellowish indicates more similarity between two layer features. We can see that there are three block structures. We select the layers in the second block because in these layers features show relatively high feature diversity.
  • Figure 4: Eigenvalues for ViT attention matix of all layers.
  • Figure 5: Grad-CAM for clean and adversarial samples.