Transform-Dependent Adversarial Attacks

TL;DR

This paper introduces transform-dependent adversarial attacks that exploit the vulnerability of deep networks to image transformations, enabling diverse and controllable attacks across architectures and tasks, and also serving as a defense mechanism.

Contribution

It reveals a new type of adversarial vulnerability dependent on image transforms and demonstrates their effectiveness and potential for defense.

Findings

Transform-dependent attacks outperform state-of-the-art transfer attacks by 17-31%.

Vulnerability exists across architectures and vision tasks.

Transform-dependent perturbations can prevent sensitive information disclosure.

Abstract

Deep networks are highly vulnerable to adversarial attacks, yet conventional attack methods utilize static adversarial perturbations that induce fixed mispredictions. In this work, we exploit an overlooked property of adversarial perturbations--their dependence on image transforms--and introduce transform-dependent adversarial attacks. Unlike traditional attacks, our perturbations exhibit metamorphic properties, enabling diverse adversarial effects as a function of transformation parameters. We demonstrate that this transform-dependent vulnerability exists across different architectures (e.g., CNN and transformer), vision tasks (e.g., image classification and object detection), and a wide range of image transforms. Additionally, we show that transform-dependent perturbations can serve as a defense mechanism, preventing sensitive information disclosure when image enhancement transforms pose a risk of revealing private content. Through analysis in blackbox and defended model settings, we show that transform-dependent perturbations achieve high targeted attack success rates, outperforming state-of-the-art transfer attacks by 17-31% in blackbox scenarios. Our work introduces novel, controllable paradigm for adversarial attack deployment, revealing a previously overlooked vulnerability in deep networks.