PAR-AdvGAN: Improving Adversarial Attack Capability with Progressive Auto-Regression AdvGAN

Jiayu Zhang; Zhiyu Zhu; Xinyi Wang; Silin Liao; Zhibo Jin; Flora D. Salim; Huaming Chen

arXiv:2502.12207·cs.LG·August 25, 2025

PAR-AdvGAN: Improving Adversarial Attack Capability with Progressive Auto-Regression AdvGAN

Jiayu Zhang, Zhiyu Zhu, Xinyi Wang, Silin Liao, Zhibo Jin, Flora D. Salim, Huaming Chen

PDF

Open Access 3 Reviews

TL;DR

PAR-AdvGAN introduces a progressive auto-regressive mechanism within GANs to generate more effective and faster adversarial examples, significantly improving attack transferability and speed over existing methods.

Contribution

It presents a novel progressive auto-regressive approach for GAN-based adversarial attack generation, enhancing transferability and efficiency.

Findings

01

Outperforms state-of-the-art black-box attacks

02

Achieves up to 335.5 frames per second in generation

03

Demonstrates superior attack success rates

Abstract

Deep neural networks have demonstrated remarkable performance across various domains. However, they are vulnerable to adversarial examples, which can lead to erroneous predictions. Generative Adversarial Networks (GANs) can leverage the generators and discriminators model to quickly produce high-quality adversarial examples. Since both modules train in a competitive and simultaneous manner, GAN-based algorithms like AdvGAN can generate adversarial examples with better transferability compared to traditional methods. However, the generation of perturbations is usually limited to a single iteration, preventing these examples from fully exploiting the potential of the methods. To tackle this issue, we introduce a novel approach named Progressive Auto-Regression AdvGAN (PAR-AdvGAN). It incorporates an auto-regressive iteration mechanism within a progressive generation network to craft…

Peer Reviews

Decision·Submitted to ICLR 2025

Reviewer 01Rating 3Confidence 4

Strengths

1. Overall writing is smooth and easy to follow. 2. The proposed method to extend AdvGAN to multiple-step attack is intuitively reasonable. 3. Non-trivial performance gains are shown in terms of attack success rates compared with some previous method in most experiments. In Table 4 SINI-FGSM has tiny advantage over the proposed method. But this is not any issue to me, since the difference is tiny enough to be ignored and also the attackers can choose the model with best generalization ability

Weaknesses

1. The technical novelty is limited. The extension over AdvGAN is trivial. 2. When talking about multi-step generation, usually people would assume diffusion models to do better jobs than progressive GANs. Can diffusion models perform the same job as the proposed Par-AdvGAN? There are multiple paper applying diffusion models to generate adversarial samples like this one [1,2]. It seems to me they can be adopted for the same purposed as Par-AdvGAN. I would suggest to add them as important basel

Reviewer 02Rating 5Confidence 4

Strengths

1. The author questions that the generation of perturbations is usually limited to a single iteration, thus degrading the attacking performance, which looks like an interesting issue. 2. The paper is well-written and easy to follow. 3. Extensive experiments are performed to evaluate the proposed PAR-AdvGAN, compared to other baselines.

Weaknesses

1. The paper argues that the limitations of the previous GAN method for generating perturbations stem from its reliance on single-step sampling. While the experiments demonstrate significant improvements, I question whether this is the primary reason for the shortcomings of the previous method (probably the adversarial features are not well-learned). To further validate this assumption, what would happen if we incorporated additional time steps into the training of the GAN, such as concatenating

Reviewer 03Rating 5Confidence 4

Strengths

1 The writing is clear.

Weaknesses

1 In Table 7, why isn't the baseline AdvGAN included for comparison? This is because the processing speed of our algorithm may be attributed to the baseline AdvGAN rather than to the proposed progressive autoregressive method. I suggest that the authors add AdvGAN to Table 7 and discuss how PAR-AdvGAN's speed compares specifically to AdvGAN. This would help clarify the speed improvements due to the progressive autoregressive method versus the baseline AdvGAN approach. 2 The latest transfer atta

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsAdversarial Robustness in Machine Learning · Advanced Malware Detection Techniques · Network Security and Intrusion Detection

MethodsAverage Pooling · Dense Connections · Label Smoothing · Max Pooling · Auxiliary Classifier · Convolution · Softmax · 1x1 Convolution · Dropout · Inception-v3 Module