Deep neural networks (DNNs) are vulnerable to adversarial examples, which are crafted by adding imperceptible perturbations to benign inputs. Notably, adversarial examples generated on white-box models often exhibit black-box transferability. Targeted attacks, which require fooling a model into predicting a specific target class, are more challenging than non-targeted attacks. A representative approach to targeted attacks is the Self-Universality (SU) method, which improves targeted transferability by enhancing the universality of adversarial perturbations. SU achieves this by maximizing the feature similarity between adversarially perturbed global images and randomly cropped local regions. However, as the pair of images used for similarity calculation is derived from the same domain, the natural high similarity between local regions and global images diminishes the prominence of the dominant features introduced by the perturbations. This limitation compromises universality, ultimately reducing targeted transferability. To address these issues, we propose Style Augmentation Domain-Universality (SADU), a method that enhances perturbation universality across domain-augmented images of the same source image. Specifically, we apply style augmentation to the source domain images and mix them with generated images to create style domain images. We then introduce a feature similarity loss that maximizes the feature similarity between adversarially perturbed source domain images and style domain images, encouraging the learned perturbations to be more universal. This approach amplifies the dominance of features introduced by adversarial perturbations compared to SU, thereby improving perturbation universality and targeted transferability. Experiments on the ImageNet-Compatible dataset demonstrate the effectiveness of SADU, boosting the average targeted attack success rate from 25.6% to 36.8% compared to state-of-the-art methods.
HeKZhangXRenS, et al.Identity mappings in deep residual networks. In: Computer Vision–ECCV 2016: 14th European conference, amsterdam, The Netherlands, October 11–14, 2016, Proceedings, Part IV 14, 2016b, pp.630–645. Springer.
2.
KrizhevskyASutskeverIHintonGE. Imagenet classification with deep convolutional neural networks. Commun ACM2017; 60: 84–90.
3.
YurtseverELambertJCarballoA, et al.A survey of autonomous driving: common practices and emerging technologies. IEEE Access2020; 8: 58443–58469.
4.
SunYWangXTangX. Deeply learned face representations are sparse, selective, and robust. In: Proceedings of the IEEE conference on computer vision and pattern recognition, 2015, pp.2892–2900.
5.
TaigmanYYangMRanzatoM, et al.Deepface: Closing the gap to human-level performance in face verification. In: Proceedings of the IEEE conference on computer vision and pattern recognition, 2014, pp.1701–1708.
6.
GoodfellowIJShlensJSzegedyC. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
7.
DongYLiaoFPangT, et al.Boosting adversarial attacks with momentum. In: Proceedings of the IEEE conference on computer vision and pattern recognition, 2018, pp.9185–9193.
8.
LiuAWangJLiuX, et al.Bias-based universal adversarial patch attack for automatic check-out. In: Computer Vision–ECCV 2020: 16th European conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part XIII 16, 2020, pp.395–410. Springer.
9.
WeiZChenJGoldblumM, et al.Towards transferable adversarial attacks on vision transformers. In: Proceedings of the AAAI conference on artificial intelligence, 2022a, pp.2668–2676.
10.
WeiZChenJWuZ, et al.Cross-modal transferable adversarial attacks from images to videos. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2022c, pp.15064–15073.
11.
XieCZhangZZhouY, et al.Improving transferability of adversarial examples with input diversity. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2019, pp.2730–2739.
12.
LiuALiuXFanJ, et al.Perceptual-sensitive gan for generating adversarial patches. In: Proceedings of the AAAI conference on artificial intelligence, 2019, pp.1028–1035.
13.
TangSGongRWangY, et al.Robustart: Benchmarking robustness on architecture design and training techniques. arXiv preprint arXiv:2109.05211, 2021.
14.
WeiZChenJWeiX, et al.Heuristic black-box adversarial attacks on video recognition models. In: Proceedings of the AAAI conference on artificial intelligence, 2020, pp.12338–12345.
15.
ZhangCLiuALiuX, et al.Interpreting and improving adversarial robustness of deep neural networks with neuron sensitivity. IEEE Trans Image Process2020b; 30: 1291–1304.
16.
DongYPangTSuH, et al.Evading defenses to transferable adversarial examples by translation-invariant attacks. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2019, pp.4312–4321.
17.
WeiZChenJWuZ, et al.Boosting the transferability of video adversarial examples via temporal translation. In: Proceedings of the AAAI conference on artificial intelligence, 2022b, pp.2659–2667.
18.
ZhaoZLiuZLarsonM. On success and simplicity: A second look at transferable targeted attacks. Adv Neural Inf Process Syst2021; 34: 6115–6128.
19.
InkawhichNLiangKWangB, et al.Perturbing across the feature hierarchy to improve standard and strict blackbox attack transferability. Adv Neural Inf Process Syst2020a; 33: 20791–20801.
20.
InkawhichNLiangKJCarinL, et al.Transferable perturbations of deep feature distributions. arXiv preprint arXiv:2004.12519, 2020b.
21.
NaseerMKhanSHayatM, et al.On generating transferable targeted perturbations. In: Proceedings of the IEEE/CVF international conference on computer vision, 2021, pp.7708–7717.
22.
ZhaoAChuTLiuY, et al.Minimizing maximum model discrepancy for transferable black-box targeted attacks. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2023, pp.8153–8162.
23.
LinJSongCHeK, et al.Nesterov accelerated gradient and scale invariance for adversarial attacks. arXiv preprint arXiv:1908.06281, 2019.
24.
WeiZChenJWuZ, et al.Enhancing the self-universality for transferable targeted attacks. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2023, pp.12281–12290.
25.
Moosavi-DezfooliSMFawziAFawziO, et al.Universal adversarial perturbations. In: Proceedings of the IEEE conference on computer vision and pattern recognition, 2017, pp.1765–1773.
26.
ZhangCBenzPImtiazT, et al.Understanding adversarial examples from the mutual influence of images and perturbations. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2020a, pp.14521–14530.
27.
KurakinAGoodfellowIBengioS. Adversarial machine learning at scale. arXiv preprint arXiv:1611.01236, 2016.
28.
CarliniNWagnerD. Towards evaluating the robustness of neural networks. In: 2017 IEEE symposium on security and privacy (sp), 2017, pp.39–57. IEEE.
29.
WangXLinJHuH, et al.Boosting adversarial transferability through enhanced momentum. arXiv preprint arXiv:2103.10609, 2021b.
30.
WangXHeK. Enhancing the transferability of adversarial attacks through variance tuning. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2021, pp.1924–1933.
31.
ZhangJHuangYWuW, et al.Transferable adversarial attacks on vision transformers with token gradient regularization. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2023, pp.16415–16424.
32.
WangJChenZJiangK, et al.Boosting the transferability of adversarial attacks with global momentum initialization. Expert Syst Appl2024; 255: 124757.
33.
WangXHeXWangJ, et al.Admix: Enhancing the transferability of adversarial attacks. In: Proceedings of the IEEE/CVF international conference on computer vision, 2021a, pp.16158–16167.
34.
ByunJChoSKwonMJ, et al.Improving the transferability of targeted adversarial examples through object-based diverse input. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2022, pp.15244–15253.
35.
WangXZhangZZhangJ. Structure invariant transformation for better adversarial transferability. In: Proceedings of the IEEE/CVF international conference on computer vision, 2023, pp.4607–4619.
36.
InkawhichNWenWLiHH, et al.Feature space perturbations yield more transferable adversarial examples. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2019, pp.7066–7074.
37.
GatysLAEckerASBethgeM. A neural algorithm of artistic style. arXiv preprint arXiv:1508.06576, 2015.
38.
UlyanovDVedaldiALempitskyV. Improved texture networks: Maximizing quality and diversity in feed-forward stylization and texture synthesis. In: Proceedings of the IEEE conference on computer vision and pattern recognition, 2017, pp.6924–6932.
39.
HuangXBelongieS. Arbitrary style transfer in real-time with adaptive instance normalization. In: Proceedings of the IEEE international conference on computer vision, 2017, pp.1501–1510.
40.
RechtBRoelofsRSchmidtL, et al.Do imagenet classifiers generalize to imagenet? In: International conference on machine learning, 2019, pp.5389–5400. PMLR.
41.
WangZLuoYQiuR, et al.Learning to diversify for single domain generalization. In: Proceedings of the IEEE/CVF international conference on computer vision, 2021c, pp.834–843.
42.
ShaoLZhuFLiX. Transfer learning for visual categorization: A survey. IEEE Trans Neural Netw Learn Syst2014; 26: 1019–1034.
43.
YosinskiJCluneJBengioY, et al.How transferable are features in deep neural networks?Adv Neural Inf Process Syst2014; 27. DOI: https://doi.org/10.48550/arXiv.1411.1792
44.
LiYWangNShiJ, et al.Revisiting batch normalization for practical domain adaptation. arXiv preprint arXiv:1603.04779, 2016.
45.
TzengEHoffmanJDarrellT, et al.Simultaneous deep transfer across domains and tasks. In: Proceedings of the IEEE international conference on computer vision, 2015, pp.4068–4076.
46.
CarlucciFMD’InnocenteABucciS, et al.Domain generalization by solving jigsaw puzzles. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2019, pp.2229–2238.
47.
ZhouKYangYHospedalesT, et al.Deep domain-adversarial image generation for domain generalisation. In: Proceedings of the AAAI conference on artificial intelligence, 2020, pp.13025–13032.
48.
JacksonPTAbarghoueiAABonnerS, et al.Style augmentation: data augmentation via style randomization. In: CVPR workshops, Vol. 6, 2019, pp.10–11.
49.
GhiasiGLeeHKudlurM, et al.Exploring the structure of a real-time, arbitrary neural artistic stylization network. arXiv preprint arXiv:1705.06830, 2017.
50.
HeKZhangXRenS, et al.Deep residual learning for image recognition. In: Proceedings of the IEEE conference on computer vision and pattern recognition, 2016a, pp.770–778.
51.
HuangGLiuZVan Der MaatenL, et al.Densely connected convolutional networks. In: Proceedings of the IEEE conference on computer vision and pattern recognition, 2017, pp.4700–4708.
52.
SimonyanKZissermanA. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556, 2014.
53.
SzegedyCVanhouckeVIoffeS, et al.Rethinking the inception architecture for computer vision. In: Proceedings of the IEEE conference on computer vision and pattern recognition, 2016, pp.2818–2826.
54.
DosovitskiyABeyerLKolesnikovA, et al.An image is worth 16x16 words: Transformers for image recognition at scale. arXiv preprint arXiv:2010.11929, 2020.
55.
LiuZLinYCaoY, et al.Swin transformer: Hierarchical vision transformer using shifted windows. In: Proceedings of the IEEE/CVF international conference on computer vision, 2021b, pp.10012–10022.
56.
TouvronHBojanowskiPCaronM, et al.Resmlp: Feedforward networks for image classification with data-efficient training. IEEE Trans Pattern Anal Mach Intell2022; 45: 5314–5321.
57.
LiuHDaiZSoD, et al.Pay attention to mlps. Adv Neural Inf Process Syst2021a; 34: 9204–9215.
58.
TolstikhinIOHoulsbyNKolesnikovA, et al.Mlp-mixer: An all-mlp architecture for vision. Adv Neural Inf Process Syst2021; 34: 24261–24272.
59.
RussakovskyODengJSuH, et al.Imagenet large scale visual recognition challenge. Int J Comput Vis2015; 115: 211–252.
