Enhancing Adversarial Transferability through Block Stretch and Shrink

• URL: http://arxiv.org/abs/2511.17688v1
• Date: Fri, 21 Nov 2025 14:00:01 GMT
• Title: Enhancing Adversarial Transferability through Block Stretch and Shrink
• Authors: Quan Liu, Feng Ye, Chenhao Lu, Shuming Zhen, Guanliang Huang, Lunzhe Chen, Xudong Ke,
• Abstract summary: Adversarial attacks introduce small, deliberately crafted perturbations that mislead neural networks.<n>Existing input transformation-based attacks tend to exhibit limited cross-model transferability.<n>We propose Block Stretch and Shrink (BSS), a method that divides an image into blocks and applies stretch and shrink operations to these blocks.
• Score: 10.174268143898049
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Adversarial attacks introduce small, deliberately crafted perturbations that mislead neural networks, and their transferability from white-box to black-box target models remains a critical research focus. Input transformation-based attacks are a subfield of adversarial attacks that enhance input diversity through input transformations to improve the transferability of adversarial examples. However, existing input transformation-based attacks tend to exhibit limited cross-model transferability. Previous studies have shown that high transferability is associated with diverse attention heatmaps and the preservation of global semantics in transformed inputs. Motivated by this observation, we propose Block Stretch and Shrink (BSS), a method that divides an image into blocks and applies stretch and shrink operations to these blocks, thereby diversifying attention heatmaps in transformed inputs while maintaining their global semantics. Empirical evaluations on a subset of ImageNet demonstrate that BSS outperforms existing input transformation-based attack methods in terms of transferability. Furthermore, we examine the impact of the number scale, defined as the number of transformed inputs, in input transformation-based attacks, and advocate evaluating these methods under a unified number scale to enable fair and comparable assessments.

Related papers

• Towards Highly Transferable Vision-Language Attack via Semantic-Augmented Dynamic Contrastive Interaction [67.45032003041399]
  We propose a Semantic-Augmented Dynamic Contrastive Attack (SADCA) that enhances adversarial transferability through progressive and semantically guided perturbations.<n>SADCA establishes a contrastive learning mechanism involving adversarial, positive and negative samples, to reinforce the semantic inconsistency of the obtained perturbations.<n>Experiments on multiple datasets and models demonstrate that SADCA significantly improves adversarial transferability and consistently surpasses state-of-the-art methods.
  arXiv  Detail & Related papers  (2026-03-05T05:46:16Z)
• SegTrans: Transferable Adversarial Examples for Segmentation Models [47.89859018981832]
  Existing adversarial attack methods show poor transferability across different segmentation models.<n>We propose SegTrans, a novel transfer attack framework that divides the input sample into multiple local regions.<n>SegTrans only retains local semantic information from the original input, rather than using global semantic information to optimize perturbations.
  arXiv  Detail & Related papers  (2025-10-10T02:11:29Z)
• Improving Black-Box Generative Attacks via Generator Semantic Consistency [51.470649503929344]
  generative attacks produce adversarial examples in a single forward pass at test time.<n>We enforce semantic consistency by aligning the early generator's intermediate features to an EMA teacher.<n>Our approach can be seamlessly integrated into existing generative attacks with consistent improvements in black-box transfer.
  arXiv  Detail & Related papers  (2025-06-23T02:35:09Z)
• Boosting the Local Invariance for Better Adversarial Transferability [4.75067406339309]
  Transfer-based attacks pose a significant threat to real-world applications.<n>We propose a general adversarial transferability boosting technique called Local Invariance Boosting approach (LI-Boost)<n>Experiments on the standard ImageNet dataset demonstrate that LI-Boost could significantly boost various types of transfer-based attacks.
  arXiv  Detail & Related papers  (2025-03-08T09:44:45Z)
• Enhancing Adversarial Transferability via Component-Wise Transformation [28.209214055953844]
  This paper proposes a novel input-based attack method, termed Component-Wise Transformation (CWT)<n>CWT applies selective rotation to individual image blocks, ensuring that each transformed image highlights different target regions.<n>Experiments on the standard ImageNet dataset show that CWT consistently outperforms state-of-the-art methods in both attack success rates and stability.
  arXiv  Detail & Related papers  (2025-01-21T05:41:09Z)
• PseudoNeg-MAE: Self-Supervised Point Cloud Learning using Conditional Pseudo-Negative Embeddings [55.55445978692678]
  PseudoNeg-MAE enhances global feature representation of point cloud masked autoencoders by making them both discriminative and sensitive to transformations.<n>We propose a novel loss that explicitly penalizes invariant collapse, enabling the network to capture richer transformation cues while preserving discriminative representations.
  arXiv  Detail & Related papers  (2024-09-24T07:57:21Z)
• Bag of Tricks to Boost Adversarial Transferability [5.803095119348021]
  adversarial examples generated under the white-box setting often exhibit low transferability across different models. In this work, we find that several tiny changes in the existing adversarial attacks can significantly affect the attack performance. Based on careful studies of existing adversarial attacks, we propose a bag of tricks to enhance adversarial transferability.
  arXiv  Detail & Related papers  (2024-01-16T17:42:36Z)
• Improving Adversarial Transferability by Stable Diffusion [36.97548018603747]
  adversarial examples introduce imperceptible perturbations to benign samples, deceiving predictions. Deep neural networks (DNNs) are susceptible to adversarial examples, which introduce imperceptible perturbations to benign samples, deceiving predictions. We introduce a novel attack method called Stable Diffusion Attack Method (SDAM), which incorporates samples generated by Stable Diffusion to augment input images.
  arXiv  Detail & Related papers  (2023-11-18T09:10:07Z)
• Structure Invariant Transformation for better Adversarial Transferability [9.272426833639615]
  We propose a novel input transformation based attack, called Structure Invariant Attack (SIA) SIA applies a random image transformation onto each image block to craft a set of diverse images for gradient calculation. Experiments on the standard ImageNet dataset demonstrate that SIA exhibits much better transferability than the existing SOTA input transformation based attacks.
  arXiv  Detail & Related papers  (2023-09-26T06:31:32Z)
• Boosting Adversarial Transferability by Block Shuffle and Rotation [25.603307815394764]
  We propose a novel input transformation based attack called block shuffle and rotation (BSR) BSR splits the input image into several blocks, then randomly shuffles and rotates these blocks to construct a set of new images for gradient calculation. Empirical evaluations on the ImageNet dataset demonstrate that BSR could achieve significantly better transferability than the existing input transformation based methods.
  arXiv  Detail & Related papers  (2023-08-20T15:38:40Z)
• Enhancing the Self-Universality for Transferable Targeted Attacks [88.6081640779354]
  Our new attack method is proposed based on the observation that highly universal adversarial perturbations tend to be more transferable for targeted attacks. Instead of optimizing the perturbations on different images, optimizing on different regions to achieve self-universality can get rid of using extra data. With the feature similarity loss, our method makes the features from adversarial perturbations to be more dominant than that of benign images.
  arXiv  Detail & Related papers  (2022-09-08T11:21:26Z)
• Exploring Transferable and Robust Adversarial Perturbation Generation from the Perspective of Network Hierarchy [52.153866313879924]
  The transferability and robustness of adversarial examples are two practical yet important properties for black-box adversarial attacks. We propose a transferable and robust adversarial generation (TRAP) method. Our TRAP achieves impressive transferability and high robustness against certain interferences.
  arXiv  Detail & Related papers  (2021-08-16T11:52:41Z)
• Admix: Enhancing the Transferability of Adversarial Attacks [46.69028919537312]
  We propose a new input transformation based attack called Admix Attack Method (AAM) AAM considers both the original image and an image randomly picked from other categories. Our method could further improve the transferability and outperform the state-of-the-art combination of input transformations by a clear margin of 3.4%.
  arXiv  Detail & Related papers  (2021-01-31T11:40:50Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.