Transform-Dependent Adversarial Attacks

TL;DR

This work addresses the vulnerability of deep networks to adversarial inputs by introducing transform-dependent adversarial attacks, where a single perturbation is crafted to elicit different targeted mispredictions under predefined image transforms. By optimizing over transform parameters and targets, and leveraging differentiable, deterministic transforms with optional EOT, the method achieves high targeted ASR across CNNs and vision transformers for both classification and object detection, and demonstrates strong blackbox transfer and occasional defense bypass. The approach is validated on a broad set of models and tasks, including extensions to object detection (with both selective hiding under scaling and enhancement-based concealment), showing practical implications for both attack deployment and privacy-preserving image protection. These results reveal a new, controllable dimension in adversarial robustness that existing defenses—desivated to static perturbations—may fail to address, highlighting the need for transform-aware defenses and monitoring in real-world systems.

Abstract

Deep networks are highly vulnerable to adversarial attacks, yet conventional attack methods utilize static adversarial perturbations that induce fixed mispredictions. In this work, we exploit an overlooked property of adversarial perturbations--their dependence on image transforms--and introduce transform-dependent adversarial attacks. Unlike traditional attacks, our perturbations exhibit metamorphic properties, enabling diverse adversarial effects as a function of transformation parameters. We demonstrate that this transform-dependent vulnerability exists across different architectures (e.g., CNN and transformer), vision tasks (e.g., image classification and object detection), and a wide range of image transforms. Additionally, we show that transform-dependent perturbations can serve as a defense mechanism, preventing sensitive information disclosure when image enhancement transforms pose a risk of revealing private content. Through analysis in blackbox and defended model settings, we show that transform-dependent perturbations achieve high targeted attack success rates, outperforming state-of-the-art transfer attacks by 17-31% in blackbox scenarios. Our work introduces novel, controllable paradigm for adversarial attack deployment, revealing a previously overlooked vulnerability in deep networks.

Figures (11)

• Figure 1: This paper introduces transform-dependent adversarial attacks, where the adversarial effects are controllably triggered by image transforms, offering a flexibility for attack deployments or a protection against detection. In this example, our adversarial perturbation prevents persons from being detected by an object detector when zooming-in can potentially reveal the privacy details.
• Figure 2: Examples of transform-dependent adversarial attacks against classifiers. A single adversarial perturbation added to clean image can offer multiple attack effects for desired image transforms. First row: Targeted attacks are triggered by scaling around $0.5\times$ and $2\times$, with clean label around $1\times$. Scaled images in the first row will have different sizes after scaling, but we present their resized versions for better display. Second row: Attacks triggered with $\gamma \sim 0.5\pm 0.1, 2\pm 0.1$ in gamma correction, while providing the clean label with $\gamma \sim 1\pm 0.1$. Third row: Attacks triggered with JPEG image compression quality factor $Q \sim 80\pm1$, $20\pm1$, while providing the clean label with no compression. The perturbation in all examples is bounded by $\ell_\infty \leq 8$; the magnitude is amplified $30\times$ for better visualization.
• Figure 3: Loss landscape of the ResNet50 whitebox model over transform parameter values. A small loss value indicates successful targeted attacks within the desired transform parameter ranges. Perturbation are generated to deceive model providing three target labels for three transform parameter ranges: $S\sim\{[0.4,0.6], [0.9,1.1], [1.4,1.6]\}$, $\sigma\sim\{[0.4,0.6], [1.4,1.6], [2.9,3.1]\}$, $\gamma\sim\{[0.4,0.6], [0.9,1.1], [1.9,2.1]\}$, $Q\sim\{[19,21], [49,51], [79,81]\}$, consistent setup as \ref{['tab:cls-asr-range']}. This figure suggests that multiple attack targets can be controllably triggered by transform parameters, and attacks remain effective when parameter is sampled outside of ranges.
• Figure 4: Visualization of scale-dependent selective hiding attack against YOLOv3. The first column shows detection results on the original clean image, while the following columns present perturbed images scaled with factors $S\in\{0.5,1.0,1.5\}$ (perturbation $\|\delta\|_\infty \leq 10$). Note that scaled images will have different sizes after scaling, but we present their resized versions for better display.
• Figure 5: Visualization of the enhance transform-hiding attack on YOLOv3. While objects in the enhanced clean images are being detected, after adding enhance transform-dependent perturbations ($\|\delta\|_\infty \leq 10$), detector fails when the enhancement transform is applied, preventing sensitive information disclosure in remote sensing or public surveillance systems.