Dual-Flow: Transferable Multi-Target, Instance-Agnostic Attacks via In-the-wild Cascading Flow Optimization

TL;DR

Dual-Flow tackles the challenge of highly transferable multi-target, instance-agnostic adversarial attacks by coupling a pretrained diffusion forward flow with a learnable reverse velocity (via LoRA) to generate constrained perturbations within the $\ell_\infty$ budget. A novel Cascading Distribution Shift Training procedure trains the reverse flow to progressively refine adversarial perturbations across adjoint timesteps, enabling strong cross-model transferability and resilience to defenses. Empirical results on ImageNet show substantial improvements in black-box transferability for both multi-target and single-target settings, plus notable robustness against robustly trained networks and input defenses, outperforming state-of-the-art instance-agnostic baselines. After training, the method enables fast inference for multiple targets, making it practical for large-scale evaluation of model robustness and defense mechanisms.

Abstract

Adversarial attacks are widely used to evaluate model robustness, and in black-box scenarios, the transferability of these attacks becomes crucial. Existing generator-based attacks have excellent generalization and transferability due to their instance-agnostic nature. However, when training generators for multi-target tasks, the success rate of transfer attacks is relatively low due to the limitations of the model's capacity. To address these challenges, we propose a novel Dual-Flow framework for multi-target instance-agnostic adversarial attacks, utilizing Cascading Distribution Shift Training to develop an adversarial velocity function. Extensive experiments demonstrate that Dual-Flow significantly improves transferability over previous multi-target generative attacks. For example, it increases the success rate from Inception-v3 to ResNet-152 by 34.58\%. Furthermore, our attack method shows substantially stronger robustness against defense mechanisms, such as adversarially trained models. The code of Dual-Flow is available at: $\href{https://github.com/Chyxx/Dual-Flow}{https://github.com/Chyxx/Dual-Flow}$.

Figures (7)

• Figure 1: The comparison between Cascading ODE, Cascading SDE, and Random SDE for the second flow. The star shape represents the input for training the reverse flow. Notably, the Random SDE is observed to optimize in an incorrect distribution.
• Figure 2: Visualization results of different input images targeting various classes. For each text prompt of the target class, the left column displays the adversarial examples generated before clipping, the middle column shows the adversarial examples after clipping, and the right column presents the corresponding adversarial perturbations, which represent the differences between the clipped adversarial examples and the original images. Note that the perturbations are scaled to a range between 0 and 1. The source model used is Inc-v3.
• Figure 3: JPEG compression
• Figure 4: Input smoothing
• Figure 6: The multi-target black-box attack success rates of several variants of our method. The source model used is Res-152.

Theorems & Definitions (4)

• Proposition 1: Morse Flow Construction
• Theorem 2: Cascading Improvement at Adjoint Timesteps
• Proposition 3: Morse Flow Construction
• Proposition 4: Cascading Improvement at Adjoint Timesteps