Dynamic Parameter Optimization for Highly Transferable Transformation-Based Attacks
Jiaming Liang, Chi-Man Pun
TL;DR
This paper introduces a dynamic parameter optimization method for transformation-based attacks on neural networks, addressing limitations in previous approaches by modeling transferability patterns and reducing computational complexity, thereby enhancing attack transferability.
Contribution
It proposes the Concentric Decay Model and a dynamic optimization approach that adaptively tunes parameters, improving transferability across models and tasks while reducing computational overhead.
Findings
DPO significantly improves transferability of attacks.
Transferability exhibits rise-then-fall patterns with respect to parameter strength.
The approach reduces optimization complexity from O(mn) to O(nlogm).
Abstract
Despite their wide application, the vulnerabilities of deep neural networks raise societal concerns. Among them, transformation-based attacks have demonstrated notable success in transfer attacks. However, existing attacks suffer from blind spots in parameter optimization, limiting their full potential. Specifically, (1) prior work generally considers low-iteration settings, yet attacks perform quite differently at higher iterations, so characterizing overall performance based only on low-iteration results is misleading. (2) Existing attacks use uniform parameters for different surrogate models, iterations, and tasks, which greatly impairs transferability. (3) Traditional transformation parameter optimization relies on grid search. For n parameters with m steps each, the complexity is O(mn). Large computational overhead limits further optimization of parameters. To address these…
Peer Reviews
Decision·ICLR 2026 Conference Withdrawn Submission
Adversarial transferability is an important topic. Using the model augmentation to explain is interesting.
Need a discussion on the balance between performance and time complexity. The connection between the KL divergence and the plausible models should be further explained. The experiment only focuses on the transformation-based approach independently.
1. This is an interesting research, targeting the parameter optimization of transformation-based adversarial attacks. 2. The authors provided some empirical results to explain their motivation, making the writing clear for readers.
1. The observation in this paper isn't very motivated for me. In Figure 1, the selection of epoch 2 is too extreme, since the adversarial examples may not converge in a few iterations. For epochs 10, 50, 100, and 500, although the optimal parameters differ, the ASRs remain relatively stable within the gray box (i.e., across the different optimal parameters). This makes me doubt the importance of this paper. 2. The experimental results are somewhat low, with most improvements of the AVG being low
This paper is grounded in empirical observations, analyzing the limitations of adversarial perturbations under three dynamic patterns and introducing a clear perspective to relate surrogate models with emulated plausible or implausible models. Based on this analysis, the work proposes a well-motivated Dynamic Parameter Optimization method that efficiently improves cross-model transferability, providing both conceptual insights and practical contributions.
1. The CDM model is based on the similarity between surrogate models and emulated models, measured via KL divergence, but several concerns arise: - The increase in KL divergence does not appear to significantly reflect the coverage of plausible models for the three dynamic patterns; the results in Figure 1 do not convincingly support this analysis. Large KL differences do not clearly introduce excessive noise that reduces transferability. - It is unclear whether there is any theoretical analysis
* This work shows how the strength of certain types of adversarial attacks is currently underestimated and could have implications for how defenses to adversarial examples are evaluated. * Many different types of transformation-based attacks are used in evaluation. These attacks have also been well-studied in prior work in the machine learning robustness literature, and it is clear how this paper relates to prior research in the field. * The concentric decay model seems plausible and gives a con
* The evaluations don't directly test the validity of the concentric decay model. The model would be more convincing if there were estimates of the divergences that are discussed in Section 3.3. * The time complexity of this approach is not thoroughly discussed. While it is shown that the DPO approach improves over the naive approach to parameter optimization in terms of time complexity, there are no theoretical or experimental results showing how much time this approach adds over unoptimized tr
1、The paper is well-structured, clearly written, and easy to follow. 2、The proposed Concentric Decay Model (CDM) intuitively quantifies the relationship between transformation strength, transferability, and the number of iterations.
1、The method requires the use of validation models for parameter selection. Since these validation models are already utilized, why not integrate them into the surrogate model ensemble to further enhance the transferability of adversarial examples? This could potentially lead to higher transferability. 2、The time complexity should be compared with existing transfer-based attack methods, not just grid search. Existing methods do not require searching over iterations and transformation parameters
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Advanced Malware Detection Techniques · Network Security and Intrusion Detection