Dynamic Parameter Optimization for Highly Transferable Transformation-Based Attacks

TL;DR

This work studies how transformation-based adversarial attacks transfer across models as a function of transformation parameters and iteration. It identifies three consistent dynamics and introduces the Concentric Decay Model (CDM) to explain why optimal parameters vary with surrogate, iteration, and task, along with a Dynamic Parameter Optimization (DPO) method that reduces optimization complexity to $O(n\log_2 m)$. Empirically, re-optimizing parameters yields significant transferability gains across untargeted and targeted settings and even against adversarially trained defenses. The findings underscore the importance of adaptive parameter tuning for robust black-box attacks and provide practical optimization strategies to enhance attack effectiveness.

Abstract

Despite their wide application, the vulnerabilities of deep neural networks raise societal concerns. Among them, transformation-based attacks have demonstrated notable success in transfer attacks. However, existing attacks suffer from blind spots in parameter optimization, limiting their full potential. Specifically, (1) prior work generally considers low-iteration settings, yet attacks perform quite differently at higher iterations, so characterizing overall performance based only on low-iteration results is misleading. (2) Existing attacks use uniform parameters for different surrogate models, iterations, and tasks, which greatly impairs transferability. (3) Traditional transformation parameter optimization relies on grid search. For n parameters with m steps each, the complexity is O(mn). Large computational overhead limits further optimization of parameters. To address these limitations, we conduct an empirical study with various transformations as baselines, revealing three dynamic patterns of transferability with respect to parameter strength. We further propose a novel Concentric Decay Model (CDM) to effectively explain these patterns. Building on these insights, we propose an efficient Dynamic Parameter Optimization (DPO) based on the rise-then-fall pattern, reducing the complexity to O(nlogm). Comprehensive experiments on existing transformation-based attacks across different surrogate models, iterations, and tasks demonstrate that our DPO can significantly improve transferability.

Figures (4)

• Figure 1: Rows 2, 3, 5, and 6 show the ASRs (%) of various transformation-based attacks integrated with MI-FGSM (left label: model before comma is surrogate, after comma is target). Rows 1 and 4 illustrate the predicted distribution KL divergence of different transformations on benign samples. Red dots indicate the optimal parameters at the corresponding epochs. Values in the gray box indicate the optimal parameters at epochs $2$, $10$, $50$, $100$, and $500$. Those following the pattern of "optimal transformation parameters grow with iterations" are shown in bold italics.
• Figure 2: Visualization of the rise-then-fall pattern on individual sample. First row shows Noise Addition adversarial examples with R50 as the surrogate at Epoch $500$ for different $z$ values (top). Second row shows their absolute differences from the $z=0.14$ example (normalized by $16/255$). Third row displays deep features from DenseNet161’s denseblock4.denselayer24 (min-max normalization with $\min = -0.0019$ and $\max = 0.0152$). True label probabilities are shown at the bottom.
• Figure 3: Our Concentric Decay Model explains the three revealed patterns. $KL=k$ denotes the high-dimensional surface where the KL divergence with the surrogate model equals $k$.
• Figure : Validation models used for optimizing the attacks and test models used to evaluate the optimized results.