SCF-FGSM: Boosting Transferable Targeted Adversarial Attacks with Feature Mixup and Space Fine-Tuning
DOI: https://doi.org/10.62517/jbdc.202501103
Author(s)
Guodong Liu, Houwang Jiang, Wenxing Liao, Xiaolong Liu, Zhiyu Lin, Shihua Zhan*
Affiliation(s)
School of Computer Science and Information Engineering, Fujian Agriculture and Forestry University, Fuzhou, China
*Corresponding Author
Abstract
With the widespread application of deep neural networks (DNNs) in critical fields such as autonomous driving and medical diagnosis, their adversarial robustness has become a research hotspot. In black-box attack scenarios, the transferability of targeted adversarial examples is limited by differences in decision boundaries between models, and existing methods struggle to achieve efficient attacks. To address this, we propose a novel targeted adversarial attack method, SCF-FGSM, which combines Self-Universality (SU), Clean Feature Mixup (CFM), and Feature Space Fine-Tuning. This method enhances the local feature consistency of adversarial examples through SU, utilizes CFM to generate diverse perturbations to overcome inter-model differences, and incorporates feature space fine-tuning to achieve precise alignment of target features across models. Experiments on the ImageNet dataset demonstrate that SCF-FGSM significantly outperforms existing methods in transferability and attack success rate, especially under Logit loss. Ablation studies and visualization analyses further validate the contributions of each module to transferability, revealing a synergistic mechanism between feature space alignment and perturbation diversity. This provides theoretical support and a technical pathway for improving the transferability of adversarial attacks.
Keywords
Targeted Adversarial Attack; Transferability; Deep Neural Networks; Black-Box Attack
References
[1] GoodFellow I J, Shlens J, Szegedy C. Explaining and harnessing adversarial examples[C]//International Conference on Learning Representations. San Diego: ICLR, 2015: 1-11.
[2] Author, F., Author, S.: Title of a proceedings paper. In: Editor, F., Editor, S. (eds.) CONFERENCE 2016, LNCS, vol. 9999, pp. 1–13. Springer, Heidelberg (2016).
[3] Liu Y, Chen X, Liu C, et al. Delving into transferable adversarial examples and black-box attacks[J]. arXiv preprint arXiv:1611.02770, 2016.
[4] Inkawhich N, Liang K J, Carin L, et al. Transferable perturbations of deep feature distributions[J]. arXiv preprint arXiv:2004.12519, 2020.
[5] Inkawhich N, Liang K, Wang B, et al. Perturbing across the feature hierarchy to improve standard and strict blackbox attack transferability[J]. Advances in Neural Information Processing Systems, 2020, 33: 20791-20801.
[6] Kurakin A, Goodfellow I J, Bengio S. Adversarial examples in the physical world[M]//Artificial intelligence safety and security. Chapman and Hall/CRC, 2018: 99-112.
[7] Xie C, Zhang Z, Zhou Y, et al. Improving transferability of adversarial examples with input diversity[C]//Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2019: 2730-2739.
[8] Lin J, Song C, He K, et al. Nesterov accelerated gradient and scale invariance for adversarial attacks[J]. arXiv preprint arXiv:1908.06281, 2019.
[9] Wang X, He X, Wang J, et al. Admix: Enhancing the transferability of adversarial attacks[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision. 2021: 16158-16167.
[10] Dong Y, Pang T, Su H, et al. Evading defenses to transferable adversarial examples by translation-invariant attacks[C]//Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2019: 4312-4321.
[11] Dong Y, Liao F, Pang T, et al. Boosting adversarial attacks with momentum[C]//Proceedings of the IEEE conference on computer vision and pattern recognition. 2018: 9185-9193.
[12] Wang X, He K. Enhancing the transferability of adversarial attacks through variance tuning[C]//Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2021: 1924-1933.
[13] Wang Z, Guo H, Zhang Z, et al. Feature importance-aware transferable adversarial attacks[C]//Proceedings of the IEEE/CVF international conference on computer vision. 2021: 7639-7648.
[14] Zhou W, Hou X, Chen Y, et al. Transferable adversarial perturbations[C]//Proceedings of the European Conference on Computer Vision (ECCV). 2018: 452-467.
[15] Zhang J, Wu W, Huang J, et al. Improving adversarial transferability via neuron attribution-based attacks[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2022: 14993-15002.
[16] Sundararajan M, Taly A, Yan Q. Axiomatic attribution for deep networks[C]//International conference on machine learning. PMLR, 2017: 3319-3328.
[17] Naseer M, Khan S, Hayat M, et al. On generating transferable targeted perturbations[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision. 2021: 7708-7717.
[18] Zhao Z, Liu Z, Larson M. On success and simplicity: A second look at transferable targeted attacks[J]. Advances in Neural Information Processing Systems, 2021, 34: 6115-6128.
[19] Wei Z, Chen J, Wu Z, et al. Enhancing the self-universality for transferable targeted attacks[C]//Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2023: 12281-12290.
[20] Byun J, Kwon M J, Cho S, et al. Introducing competition to boost the transferability of targeted adversarial examples through clean feature mixup[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2023: 24648-24657.
[21] Zeng H, Chen B, Peng A. Enhancing targeted transferability via feature space fine-tuning[C]//ICASSP 2024-2024 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, 2024: 4475-4479.
[22] Zhang H. mixup: Beyond empirical risk minimization[J]. arXiv preprint arXiv:1710.09412, 2017.
[23] Szegedy C, Vanhoucke V, Ioffe S, et al. Rethinking the inception architecture for computer vision[C]//Proceedings of the IEEE conference on computer vision and pattern recognition. 2016: 2818-2826.
[24] Huang G, Liu Z, Van Der Maaten L, et al. Densely connected convolutional networks[C]//Proceedings of the IEEE conference on computer vision and pattern recognition. 2017: 4700-4708.
[25] Simonyan K. Very deep convolutional networks for large-scale image recognition[J]. arXiv preprint arXiv:1409.1556, 2014.、
[26] He K, Zhang X, Ren S, et al. Deep residual learning for image recognition[C]//Proceedings of the IEEE conference on computer vision and pattern recognition. 2016: 770-778.
[27] Gu J, Jia X, de Jorge P, et al. A survey on transferability of adversarial examples across deep neural networks[J]. arXiv preprint arXiv:2310.17626, 2023.