Beyond Deceptive Flatness: Dual-Order Solution for Strengthening Adversarial Transferability

Zhixuan Zhang; Pingyu Wang; Xingjian Zheng; Linbo Qing; Qi Liu

arXiv:2511.01240·cs.CV·November 4, 2025

Beyond Deceptive Flatness: Dual-Order Solution for Strengthening Adversarial Transferability

Zhixuan Zhang, Pingyu Wang, Xingjian Zheng, Linbo Qing, Qi Liu

PDF

Open Access

TL;DR

This paper introduces a novel dual-order gradient-based attack method that improves adversarial transferability by addressing deceptive flatness, with theoretical guarantees and enhanced sampling techniques, outperforming existing baselines on multiple datasets and attack scenarios.

Contribution

It proposes Adversarial Flatness (AF) and Adversarial Flatness Attack (AFA), providing a new perspective and theoretical assurance for transferability, along with MonteCarlo sampling for efficiency.

Findings

01

Outperforms six baselines on ImageNet-compatible dataset

02

Generates adversarial examples in flatter regions, boosting transferability

03

Effective against input transformation attacks and Baidu Cloud API

Abstract

Transferable attacks generate adversarial examples on surrogate models to fool unknown victim models, posing real-world threats and growing research interest. Despite focusing on flat losses for transferable adversarial examples, recent studies still fall into suboptimal regions, especially the flat-yet-sharp areas, termed as deceptive flatness. In this paper, we introduce a novel black-box gradient-based transferable attack from a perspective of dual-order information. Specifically, we feasibly propose Adversarial Flatness (AF) to the deceptive flatness problem and a theoretical assurance for adversarial transferability. Based on this, using an efficient approximation of our objective, we instantiate our attack as Adversarial Flatness Attack (AFA), addressing the altered gradient sign issue. Additionally, to further improve the attack ability, we devise MonteCarlo Adversarial Sampling…

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsAdversarial Robustness in Machine Learning · Generative Adversarial Networks and Image Synthesis · Domain Adaptation and Few-Shot Learning