Revisiting Transferable Adversarial Images: Systemization, Evaluation, and New Insights.

IF 18.6 1区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

IEEE Transactions on Pattern Analysis and Machine Intelligence Pub Date : 2025-09-16 DOI:10.1109/tpami.2025.3610085

Zhengyu Zhao,Hanwei Zhang,Renjue Li,Ronan Sicre,Laurent Amsaleg,Michael Backes,Qi Li,Qian Wang,Chao Shen

{"title":"Revisiting Transferable Adversarial Images: Systemization, Evaluation, and New Insights.","authors":"Zhengyu Zhao,Hanwei Zhang,Renjue Li,Ronan Sicre,Laurent Amsaleg,Michael Backes,Qi Li,Qian Wang,Chao Shen","doi":"10.1109/tpami.2025.3610085","DOIUrl":null,"url":null,"abstract":"Transferable adversarial images raise critical security concerns for computer vision systems in real-world, blackbox attack scenarios. Although many transfer attacks have been proposed, existing research lacks a systematic and comprehensive evaluation. In this paper, we systemize transfer attacks into five categories around the general machine learning pipeline and provide the first comprehensive evaluation, with 23 representative attacks against 11 representative defenses, including the recent, transfer-oriented defense and the real-world Google Cloud Vision. In particular, we identify two main problems of existing evaluations: (1) for attack transferability, lack of intra-category analyses with fair hyperparameter settings, and (2) for attack stealthiness, lack of diverse measures. Our evaluation results validate that these problems have indeed caused misleading conclusions and missing points, and addressing them leads to new, consensuschallenging insights, such as (1) an early attack, DI, even outperforms all similar follow-up ones, (2) the state-of-the-art (whitebox) defense, DiffPure, is even vulnerable to (black-box) transfer attacks, and (3) even under the same Lp constraint, different attacks yield dramatically different stealthiness results regarding diverse imperceptibility metrics, finer-grained measures, and a user study. We hope that our analyses will serve as guidance on properly evaluating transferable adversarial images and advance the design of attacks and defenses.","PeriodicalId":13426,"journal":{"name":"IEEE Transactions on Pattern Analysis and Machine Intelligence","volume":"14 1","pages":""},"PeriodicalIF":18.6000,"publicationDate":"2025-09-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Pattern Analysis and Machine Intelligence","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1109/tpami.2025.3610085","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Transferable adversarial images raise critical security concerns for computer vision systems in real-world, blackbox attack scenarios. Although many transfer attacks have been proposed, existing research lacks a systematic and comprehensive evaluation. In this paper, we systemize transfer attacks into five categories around the general machine learning pipeline and provide the first comprehensive evaluation, with 23 representative attacks against 11 representative defenses, including the recent, transfer-oriented defense and the real-world Google Cloud Vision. In particular, we identify two main problems of existing evaluations: (1) for attack transferability, lack of intra-category analyses with fair hyperparameter settings, and (2) for attack stealthiness, lack of diverse measures. Our evaluation results validate that these problems have indeed caused misleading conclusions and missing points, and addressing them leads to new, consensuschallenging insights, such as (1) an early attack, DI, even outperforms all similar follow-up ones, (2) the state-of-the-art (whitebox) defense, DiffPure, is even vulnerable to (black-box) transfer attacks, and (3) even under the same Lp constraint, different attacks yield dramatically different stealthiness results regarding diverse imperceptibility metrics, finer-grained measures, and a user study. We hope that our analyses will serve as guidance on properly evaluating transferable adversarial images and advance the design of attacks and defenses.

查看原文本刊更多论文

重新审视可转移的对抗图像：系统化、评估和新见解。

在现实世界的黑箱攻击场景中，可转移的对抗图像引起了计算机视觉系统的关键安全问题。虽然提出了许多转移攻击，但现有的研究缺乏系统和全面的评价。在本文中，我们围绕一般机器学习管道将传输攻击系统分为五类，并提供了第一次全面评估，用23种代表性攻击对抗11种代表性防御，包括最近的，面向传输的防御和现实世界的谷歌云视觉。特别是，我们确定了现有评估的两个主要问题：(1)攻击可转移性，缺乏具有公平超参数设置的类别内分析；(2)攻击隐身性，缺乏多样化的措施。我们的评估结果证实，这些问题确实导致了误导性的结论和缺失点，解决这些问题会导致新的、挑战共识的见解，例如(1)早期攻击DI甚至优于所有类似的后续攻击，(2)最先进的（白盒）防御，DiffPure甚至容易受到（黑盒）传输攻击，(3)即使在相同的Lp约束下，关于不同的不可感知度量、细粒度度量和用户研究，不同的攻击会产生截然不同的隐身性结果。我们希望我们的分析能够为正确评估可转移的对抗图像提供指导，并推进攻击和防御的设计。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Pattern Analysis and Machine Intelligence 工程技术-工程：电子与电气

CiteScore

28.40

自引率

3.00%

发文量

885

审稿时长

8.5 months

期刊介绍： The IEEE Transactions on Pattern Analysis and Machine Intelligence publishes articles on all traditional areas of computer vision and image understanding, all traditional areas of pattern analysis and recognition, and selected areas of machine intelligence, with a particular emphasis on machine learning for pattern analysis. Areas such as techniques for visual search, document and handwriting analysis, medical image analysis, video and image sequence analysis, content-based retrieval of image and video, face and gesture recognition and relevant specialized hardware and/or software architectures are also covered.