Enhancing Adversarial Transferability through Block Stretch and Shrink

TL;DR

This paper introduces Block Stretch and Shrink (BSS), a novel input transformation technique that improves adversarial example transferability across models by diversifying attention heatmaps while preserving global semantics.

Contribution

The paper proposes BSS, a new method that enhances transferability of adversarial attacks by dividing images into blocks and applying stretch and shrink operations, outperforming existing methods.

Findings

BSS achieves higher transferability than existing input transformation methods.

Evaluating under a unified number scale provides fair comparisons of attack methods.

BSS maintains global semantics while diversifying attention heatmaps.

Abstract

Adversarial attacks introduce small, deliberately crafted perturbations that mislead neural networks, and their transferability from white-box to black-box target models remains a critical research focus. Input transformation-based attacks are a subfield of adversarial attacks that enhance input diversity through input transformations to improve the transferability of adversarial examples. However, existing input transformation-based attacks tend to exhibit limited cross-model transferability. Previous studies have shown that high transferability is associated with diverse attention heatmaps and the preservation of global semantics in transformed inputs. Motivated by this observation, we propose Block Stretch and Shrink (BSS), a method that divides an image into blocks and applies stretch and shrink operations to these blocks, thereby diversifying attention heatmaps in transformed inputs while maintaining their global semantics. Empirical evaluations on a subset of ImageNet demonstrate that BSS outperforms existing input transformation-based attack methods in terms of transferability. Furthermore, we examine the impact of the number scale, defined as the number of transformed inputs, in input transformation-based attacks, and advocate evaluating these methods under a unified number scale to enable fair and comparable assessments.