Advancing Generalized Transfer Attack with Initialization Derived Bilevel Optimization and Dynamic Sequence Truncation

TL;DR

BETAK reframes black-box transfer attacks as an initialization-derived bilevel optimization, coupling a UL pseudo-victim attacker with a LL surrogate attacker via objectives $F$ and $f$ and perturbations $\\boldsymbol{\\delta}$, $\\boldsymbol{\\phi}$. It introduces Hyper-Gradient Response (HGR) estimation to provide transferable feedback and Dynamic Sequence Truncation (DST) to prune the backpropagation path, enabling efficient optimization even with non-convex surrogates. The framework is shown to converge to stationary points under non-convexity and delivers strong empirical gains across diverse victim models and defenses on ImageNet, including a notable improvement against IncRes-v2_ens. The authors provide extensive ablations demonstrating the effectiveness of DST and the benefits of incorporating multiple pseudo-victim models; source code is available for replication.

Abstract

Transfer attacks generate significant interest for real-world black-box applications by crafting transferable adversarial examples through surrogate models. Whereas, existing works essentially directly optimize the single-level objective w.r.t. the surrogate model, which always leads to poor interpretability of attack mechanism and limited generalization performance over unknown victim models. In this work, we propose the \textbf{B}il\textbf{E}vel \textbf{T}ransfer \textbf{A}ttac\textbf{K} (BETAK) framework by establishing an initialization derived bilevel optimization paradigm, which explicitly reformulates the nested constraint relationship between the Upper-Level (UL) pseudo-victim attacker and the Lower-Level (LL) surrogate attacker. Algorithmically, we introduce the Hyper Gradient Response (HGR) estimation as an effective feedback for the transferability over pseudo-victim attackers, and propose the Dynamic Sequence Truncation (DST) technique to dynamically adjust the back-propagation path for HGR and reduce computational overhead simultaneously. Meanwhile, we conduct detailed algorithmic analysis and provide convergence guarantee to support non-convexity of the LL surrogate attacker. Extensive evaluations demonstrate substantial improvement of BETAK (e.g., $\mathbf{53.41}$\% increase of attack success rates against IncRes-v$2_{ens}$) against different victims and defense methods in targeted and untargeted attack scenarios. The source code is available at https://github.com/callous-youth/BETAK.

Figures (4)

• Figure 1: The three subfigures in group (a)-(d) illustrate the adversarial loss landscape w.r.t. input variations of the clean sample in Fig. \ref{['fig:fig1']} and corresponding AEs perturbed by SSA+BPA and BETAK. The color bars represent a common loss range and color mapping in each group. We mark the maximum and minimum value within the range of $x, y\in[-0.5,0.5]$ w.r.t. $\boldsymbol{\vec{\iota}}$ and $\boldsymbol{\vec{o}}$, respectively.
• Figure 2: The CAM results of the clean image (labeled as Shower Cap) in Fig. \ref{['fig:loss_landscape']} and corresponding AEs generated with ResNet-50 by SSA$+$BPA and the proposed BETAK. Green and red marks represent that the image is correctly and wrongly classified, respectively.
• Figure 3: Ablation results of the ATR for PGD+BPA and our BETAK framework by adjusting $T$, $K$ or removing the DST operation (denoted as w/ and w/o DST).
• Figure 4: Ablation results of the time for Backpropagation (BP) for the first 10 batches of images and the average $\tilde{K}$ of DST operation as the UL iteration increases. Note that when DST operation is removed, $\tilde{K}$ is set to the same value as $K$.