Enhancing Adversarial Transferability through Block Stretch and Shrink

TL;DR

The work tackles the challenge of transferring white-box adversarial perturbations to black-box models by proposing Block Stretch and Shrink (BSS), an input transformation that diversifies attention heatmaps through block-wise, constrained segmentation and local stretch/shrink while preserving global semantics. It introduces a unified number scale $N$ to standardize evaluation across methods and presents thorough experiments showing BSS outperforms state-of-the-art operators and combinations on CNNs and ViTs, under various defenses and ablations. Key contributions include the constrained segmentation mechanism, dual-dimension deformation, and an empirical framework that reveals the importance of both attention diversity and semantic preservation for high transferability. The results have significant implications for evaluating and understanding transferable adversarial attacks and highlight the need for standardized benchmarks in this research area.

Abstract

Adversarial attacks introduce small, deliberately crafted perturbations that mislead neural networks, and their transferability from white-box to black-box target models remains a critical research focus. Input transformation-based attacks are a subfield of adversarial attacks that enhance input diversity through input transformations to improve the transferability of adversarial examples. However, existing input transformation-based attacks tend to exhibit limited cross-model transferability. Previous studies have shown that high transferability is associated with diverse attention heatmaps and the preservation of global semantics in transformed inputs. Motivated by this observation, we propose Block Stretch and Shrink (BSS), a method that divides an image into blocks and applies stretch and shrink operations to these blocks, thereby diversifying attention heatmaps in transformed inputs while maintaining their global semantics. Empirical evaluations on a subset of ImageNet demonstrate that BSS outperforms existing input transformation-based attack methods in terms of transferability. Furthermore, we examine the impact of the number scale, defined as the number of transformed inputs, in input transformation-based attacks, and advocate evaluating these methods under a unified number scale to enable fair and comparable assessments.

Figures (5)

• Figure 1: The input image and its transformed versions generated by different methods. Except for BSS and OPS, existing advanced methods (e.g., BSR, SIA) fail to maintain global semantic integrity. In contrast, traditional methods (e.g., SIM, DIM) cannot produce rich feature representations.
• Figure 2: Attention heatmaps of the transformed images generated by BSS, OPS, DeCoWA, and BSR, computed on ResNet-18.
• Figure 3: This figure shows the specific principle of Block Stretch and Shrink. After adding perturbation $\delta$ to the input image $x$, the image split and stretch and shrink modules operate along two dimensions to produce a transformed input, which is then fed into the model to generate adversarial perturbations.
• Figure 4: Attack success rates (%) of different attack methods in different number scale on five CNNs and five ViTs models, using ResNet-18 as the white-box model, with input transformation methods BSR, SIA, DeCoWA, OPS, and BSS.
• Figure 5: Average attack success rates (%) on six CNNs and five ViTs models under different parameter configurations, using ResNet-18 as the white-box model and setting the number scale to 30.