Enhancing Adversarial Transferability via Component-Wise Transformation
Hangyu Liu, Bo Peng, Can Cui, Pengxiang Ding, Donglin Wang
TL;DR
This paper introduces Component-Wise Transformation (CWT), a novel input transformation attack that enhances adversarial transferability across different neural network architectures by focusing on diverse image regions.
Contribution
The paper proposes CWT, a new attack method applying block-wise transformations to improve transferability of adversarial examples across architectures.
Findings
CWT outperforms existing methods in attack success rates.
CWT demonstrates higher stability across CNN and Transformer models.
Extensive experiments on ImageNet validate the effectiveness of CWT.
Abstract
Deep Neural Networks (DNNs) are highly vulnerable to adversarial examples, which pose significant challenges in security-sensitive applications. Among various adversarial attack strategies, input transformation-based attacks have demonstrated remarkable effectiveness in enhancing adversarial transferability. However, existing methods still perform poorly across different architectures, even though they have achieved promising results within the same architecture. This limitation arises because, while models of the same architecture may focus on different regions of the object, the variation is even more pronounced across different architectures. Unfortunately, current approaches fail to effectively guide models to attend to these diverse regions. To address this issue, this paper proposes a novel input transformation-based attack method, termed Component-Wise Transformation (CWT). CWT…
Peer Reviews
Decision·ICLR 2026 Conference Withdrawn Submission
1. This paper reveals that the differences in the target regions focused on by various models may be a primary reason for the limited transferability of adversarial examples. 2 . Fig.3 shows the relationship between different models from three perspectives: gradient cosine similarity, adversarial noise cosine similarity, and transferability of attacks. 3. The experimental results of the CWT method demonstrate the effectiveness of the method proposed in this paper. 4. Fig.A3 in the appendix d
1. In Figure 2, the authors claim that the BSR method focuses too much on the region outside the target object, i.e., the background area, which limits the transferability of adversarial examples. Does this description contradict the actual experimental results? Methods like DIM, SIM, and Admix, even though they focus on the region within the target object, exhibit worse transferability than BSR. Furthermore, since the model's input is a whole image rather than just the target object, attackers
The experiment scope on the COCO dataset is good. The topic of adversarial transferability is important.
The motivation is not convincing. The details of the proposed method are unclear. The experiment may be unfair. (Minor) Format issue in Table 2.
- The paper is easy to follow. - The paper studies an important field in AI security.
1. Evaluation. - Model utility is not included in evaluations. The reviewer is concerned that block-wise rotation may include artifacts in image, such that the artifacts could be easily observed by a human, hence it may hinder the **imperceptibility**, a pivotal principle in adversarial attack field. The reviewer kindly asks the authors to provide more examples of adversarial examples generated by the proposed algorithm to showcase their imperceptibility**.** 2. Soundness of the method - It
1 Cross-architecture adversarial transfer is a relevant and challenging research topic. Grad-CAM visualizations convincingly illustrate architectural attention differences. 2 CWT is easy to implement, computationally efficient, and integrates naturally with MI-FGSM.
1 Incomplete comparison with SOTA: The paper omits some SOTA methods (e.g., Boosting the Transferability of Adversarial Attack on Vision Transformer with Adaptive Token Tuning, Improving Adversarial Transferability via Intermediate-level Perturbation Decay), 2 There is no rigorous quantitative analysis showing that CWT systematically improve gradient alignment, or that improved alignment directly leads to higher transfer success. Without this connection, it is unclear whether the empirical gain
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdvanced Optical Sensing Technologies · Adversarial Robustness in Machine Learning · Fire Detection and Safety Systems
MethodsFocus