Frequency-domain augmentation and multi-scale feature alignment for improving transferability of adversarial examples

IF 4.4 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Networks Pub Date : 2025-04-11 DOI:10.1016/j.comnet.2025.111261

Gui-Hong Li, Heng-Ru Zhang, Fan Min

{"title":"Frequency-domain augmentation and multi-scale feature alignment for improving transferability of adversarial examples","authors":"Gui-Hong Li, Heng-Ru Zhang, Fan Min","doi":"10.1016/j.comnet.2025.111261","DOIUrl":null,"url":null,"abstract":"<div><div>Transfer-based adversarial attack implies that the same adversarial example can fool Deep Neural Networks (DNNs) with different architectures. Model-related approaches train a new surrogate model in local to generate adversarial examples. However, because DNNs with different architectures focus on diverse features within the same data, adversarial examples generated by surrogate models frequently exhibit poor transferability when the surrogate and target models have significant architectural differences. In this paper, we propose a Two-Stage Generation Framework (TSGF) through frequency-domain augmentation and multi-scale feature alignment to address this issue. In the stage of surrogate model training, we enable the surrogate model to capture various features of data through detail and diversity enhancement. Detail enhancement increases the weight of details in clean examples by a frequency-domain augmentation module. Diversity enhancement incorporates slight adversarial examples into the training process to increase the diversity of clean examples. In the stage of adversarial generation, we perturb the distinctive features that different models focus on to improve transferability by a multi-scale feature alignment attack technique. Specifically, we design a loss function using the intermediate multi-layer features of the surrogate model to maximize the difference between the features of clean and adversarial examples. We compare TSGF with a combination of three closely related surrogate model training schemes and the most relevant adversarial attack methods. Results show that TSGF improves transferability across significantly different architectures. The implementation of TSGF is available at <span><span>https://github.com/zhanghrswpu/TSGF</span><svg><path></path></svg></span>.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"264 ","pages":"Article 111261"},"PeriodicalIF":4.4000,"publicationDate":"2025-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1389128625002294","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Transfer-based adversarial attack implies that the same adversarial example can fool Deep Neural Networks (DNNs) with different architectures. Model-related approaches train a new surrogate model in local to generate adversarial examples. However, because DNNs with different architectures focus on diverse features within the same data, adversarial examples generated by surrogate models frequently exhibit poor transferability when the surrogate and target models have significant architectural differences. In this paper, we propose a Two-Stage Generation Framework (TSGF) through frequency-domain augmentation and multi-scale feature alignment to address this issue. In the stage of surrogate model training, we enable the surrogate model to capture various features of data through detail and diversity enhancement. Detail enhancement increases the weight of details in clean examples by a frequency-domain augmentation module. Diversity enhancement incorporates slight adversarial examples into the training process to increase the diversity of clean examples. In the stage of adversarial generation, we perturb the distinctive features that different models focus on to improve transferability by a multi-scale feature alignment attack technique. Specifically, we design a loss function using the intermediate multi-layer features of the surrogate model to maximize the difference between the features of clean and adversarial examples. We compare TSGF with a combination of three closely related surrogate model training schemes and the most relevant adversarial attack methods. Results show that TSGF improves transferability across significantly different architectures. The implementation of TSGF is available at https://github.com/zhanghrswpu/TSGF.

查看原文本刊更多论文

频域增强和多尺度特征对齐提高对抗性示例的可转移性

基于转移的对抗攻击意味着，同一个对抗示例可以骗过不同架构的深度神经网络（DNN）。与模型相关的方法会在本地训练一个新的代理模型，以生成对抗示例。然而，由于不同架构的 DNNs 专注于同一数据中的不同特征，当代用模型和目标模型在架构上存在显著差异时，代用模型生成的对抗示例往往表现出很差的可移植性。本文通过频域增强和多尺度特征对齐提出了两阶段生成框架（TSGF）来解决这一问题。在代用模型训练阶段，我们通过细节增强和多样性增强使代用模型能够捕捉数据的各种特征。细节增强通过频域增强模块增加干净示例中细节的权重。多样性增强将轻微的对抗示例纳入训练过程，以增加干净示例的多样性。在对抗生成阶段，我们通过多尺度特征对齐攻击技术，对不同模型所关注的显著特征进行扰动，以提高可移植性。具体来说，我们利用代用模型的中间多层特征设计了一个损失函数，以最大化干净示例和对抗示例特征之间的差异。我们将 TSGF 与三种密切相关的代理模型训练方案和最相关的对抗攻击方法进行了比较。结果表明，TSGF 显著提高了不同架构之间的可移植性。TSGF 的实现可在 https://github.com/zhanghrswpu/TSGF 上获得。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Networks 工程技术-电信学

CiteScore

10.80

自引率

3.60%

发文量

434

审稿时长

8.6 months

期刊介绍： Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.