Papers
Topics
Authors
Recent
2000 character limit reached

Transferable Adversarial Examples

Updated 9 December 2025
  • Transferable adversarial examples are perturbed inputs that mislead independently trained models by exploiting overlapping adversarial subspaces.
  • Key factors enhancing transferability include architectural similarity, loss landscape smoothness, and refined gradient aggregation techniques.
  • Robust defense strategies, such as ensemble training and trigger-based models, are being developed to counter these cross-model adversarial attacks.

Transferable adversarial examples are perturbed inputs that retain their adversarial effectiveness across distinct, independently trained models or architectures. Unlike purely white-box attacks, transferable adversarial examples enable black-box adversarial attacks on a target model with unknown parameters or architecture, by leveraging the adversarial vulnerability of a different source (surrogate) model. This transfer property has significant implications for the security and robustness of deep neural networks, as it enables query-free black-box attacks on deployed systems and poses a substantial challenge to defense strategies.

1. Geometric and Theoretical Basis of Transferability

Early work established that adversarial examples populate high-dimensional contiguous subspaces around data points, rather than isolated directions. Tramèr et al. empirically determined that for MNIST models, the adversarial subspace often has dimensionality around 25, and these subspaces significantly overlap for independently trained models (Tramèr et al., 2017). As a result, most random directions in one model’s adversarial subspace have a high chance of lying in the intersection with another model’s subspace, making transfer a likely event.

Quantitative analysis of decision boundary similarities further demonstrates that the inter-boundary distance between two models, along both adversarial and benign directions, is often much less than the perturbation budget required to traverse the boundary, supporting the geometric likelihood of transfer (Tramèr et al., 2017). The probability of transfer increases with the dimensionality of these adversarial subspaces.

Theoretically, sufficient conditions for transfer are established for linear and certain nonlinear classifiers: if there exists a common adversarial direction (e.g., the mean-shift vector between class centroids), then sufficiently large perturbations in this direction will induce misclassification in all models whose decision boundaries align with these features. However, transfer is not guaranteed if models exploit orthogonal non-robust features.

2. Factors Influencing Transferability

Transferability is governed by both model-specific and optimization-specific factors.

  • Architectural Similarity: Transfer success is maximized when source and target models share architectural type and capacity. Empirically, transfer rates τ(A→B) are highest for source-target pairs within the same network family, and transferability is asymmetric, i.e., τ(A→B) ≠ τ(B→A) (Wu et al., 2018, Petrov et al., 2019).
  • Model Capacity and Accuracy: Lower-capacity, high-accuracy models often produce adversarial examples with higher transfer potential, possibly due to less overfitting of complex boundary geometry (Wu et al., 2018).
  • Representation Overlap: Models trained on similar data distributions with similar inductive biases tend to learn boundaries that are close in input space, enabling shared adversarial vulnerability (Tramèr et al., 2017).

Optimization and Attack Methodology

  • Boundary Overfitting: Simple attacks (FGSM, PGD) generate perturbations closely aligned with the source model’s loss landscape, often overfitting to model-specific idiosyncrasies, limiting transfer (Huang et al., 2021).
  • Loss Landscape Smoothness: Attacks that operate in locally smooth regions (“flat maxima”) produce perturbations robust to shifts in the decision boundary, yielding higher transfer (Wu et al., 2023).
  • Gradient Shattering: Highly oscillatory, “shattered” gradients are model-specific; smoothed or variance-reduced gradient estimates align better across models and improve black-box success rates (Wu et al., 2018, Huang et al., 2021).

3. Algorithmic Approaches to Enhancing Transferability

Multiple approaches have been proposed to improve the transferability of adversarial examples, which can be categorized as follows:

Input and Transformation Averaging

  • Variance-Reduced Attacks: Smoothing the loss landscape via input-space perturbations (e.g., averaging gradients over Gaussian noise) increases the alignment of attack directions across models. The variance-reduced iterative method (vr-IGSM) achieves up to 30% improvement in cross-architecture transfer rates on ImageNet (Wu et al., 2018).
  • Direction Aggregation: The Direction-Aggregated Attack (DA-Attack) aggregates sign-gradients over a Gaussian cloud around each input, avoiding overfitting and stabilizing the direction of perturbation. DA-TI-DIM achieves state-of-the-art transfer rates against both normal and adversarially trained ImageNet models (Huang et al., 2021).
  • Bayesian and Data-Augmentation Priors: Averaging gradients over block-masked images (MaskBlock), local mixup of transformed images (IDAA), or data-augmented variants (Diverse Inputs, Translation-Invariance) corresponds to optimizing over a local posterior of model behaviors, improving transfer (Fan et al., 2022, Liu et al., 24 Jan 2024).
  • Gradient Norm Penalty: Optimizing in regions of low input gradient norm via explicit penalization (GNP) forces the attack to converge to flat maxima, yielding black-box success rates up to 54% from baselines of 27% across ten unseen ImageNet models (Wu et al., 2023).

Model and Knowledge Aggregation

  • Ensemble Surrogates and Posterior Sampling: Attacks crafted against Bayesian surrogate models (e.g., cyclical SGLD weight samples) or deep ensembles more faithfully approximate the uncertainty in the target, leading to up to 94% transfer success on ImageNet and a 4.8× reduction in computational cost over naive ensemble attacks (Gubri et al., 2020).
  • Common Knowledge Learning (CKL): Training a “student” network via knowledge distillation from multiple teacher architectures, with additional gradient-alignment loss, produces a model whose adversarial gradients generalize across architectures. CKL increases transfer success by 10–30 percentage points in cross-family attacks (e.g., CNN→Transformer) (Yang et al., 2023).

Novel Example Ranking and Candidate Selection

  • Transferability Ranking: Heuristic estimation of transfer potential by ensembling target model surrogates and ranking adversarial candidates by average loss or confidence scores can yield transfer rates close to the “oracle” upper bound (up to 100% in some scenarios), far surpassing random candidate selection (Levy et al., 2022).
  • PEAS (Augmentation-Selection): By evaluating multiple candidate perturbations under imperceptible augmentations and surrogate ensembles, PEAS doubles or triples black-box attack success rates compared to base attacks (Avraham et al., 20 Oct 2024).

Distributional and Structure-Preserving Attacks

  • Structure-Preserving Transformations (SPT): Instead of L_p-constrained pixel-wise perturbations, SPT computes an injective mapping preserving high-level structure, enabling attack generalization even outside the source domain and resilience to strong adversarial defenses (Peng et al., 2018).
  • Object-Based Diverse Input (ODI): Adversarial images mapped onto 3D objects, rendered under randomized conditions, and “seen” by the model under a distribution over input geometries, achieve a targeted transfer success rate of 47% (vs 28% of prior state of the art) (Byun et al., 2022).
  • Domain-Invariant Generative Approaches: Instance-agnostic generators trained on unrelated source domains (e.g., paintings) using relativistic loss can produce perturbations that fool natural-image classifiers trained on entirely different domains at rates of up to 99% for ℓ_∞ ≤ 16/255 (Naseer et al., 2019).

4. Transferability Across Tasks and Modalities

While initial research focused on image classification, transferability has also been demonstrated—and systematically analyzed—in other domains:

  • Image Forensics: Transferability is surprisingly low, especially across different architectures and datasets, providing some robustness in security-oriented forensic applications. Only strong attacks with large perturbation budgets reliably transfer, particularly on median-filter detection tasks (Barni et al., 2018).
  • Semantic Segmentation: Adversarial examples are less prone to overfitting to the source in VGG-based segmenters but face transfer limitations due to the multi-scale features of modern architectures. Randomized input scaling (dynamic scaling) during attack creation overcomes these limitations and achieves high transfer even between architectures (Gu et al., 2021). Two-stage weighting strategies balancing pixel-wise attackability and cross-model divergence further improve segmentation attack transfer (Jia et al., 2023).
  • Object Detection: Category-wise attacks targeting full heatmaps, rather than instance bounding boxes, using high-level semantic cues are highly transferable—achieving 99% mAP drop across CenterNet and Faster R-CNN with only 0.2–0.7% pixels perturbed (Liao et al., 2021).

5. Quantitative Protocols and Fair Assessment

Conclusive comparison of transferability requires:

  • Experimental Controls: Using “strong” white-box attacks (e.g., 0% source accuracy), then uniformly post-processing adversarial examples by clipping to specified L_∞ bounds, and reporting transferability as a function of human-aligned metrics (e.g., SSIM), not just raw distortion (Petrov et al., 2019).
  • Ensemble and Candidate Pooling: Measuring transferability across diverse surrogate–victim pairs, ensembles, or with augmented attack candidate pools, and reporting transferability @K improves relevance for deployment scenarios (Levy et al., 2022, Avraham et al., 20 Oct 2024).
  • Cross-Architecture and Cross-Domain Evaluation: Adversarial example transfer should be evaluated not only within architectural families, but on the most architecture-diverse and domain-diverse pairs to reflect realistic black-box risk (Tramèr et al., 2017, Naseer et al., 2019).

6. Transferability in Robust Training and Defenses

Transferable adversarial examples challenge existing defense techniques. However, new strategies have been developed that either exploit or defend against transferability:

  • Accelerated Adversarial Training: The ATTA method demonstrates that adversarial examples generated against one model epoch maintain their adversariality across subsequent epochs, enabling per-epoch perturbation recycling and reducing training cost by up to an order of magnitude while maintaining robustness (Zheng et al., 2019).
  • Trigger Activation Defenses: Models trained to output random guesses on clean inputs and revert to proper predictions only when a fixed “trigger” vector is added are empirically robust to transferable adversarial perturbations. Theoretical first-order analysis bounds adversarial impact by the ratio of attack to trigger budget, and learnable triggers provide enhanced robustness—achieving up to 84% robust accuracy under eight black-box attacks on CIFAR-10 with minimal clean accuracy drop (Yu et al., 20 Apr 2025).
  • Role of Uncertainty: Bayesian surrogates model epistemic uncertainty and thus produce attacks matching the true variety of plausible deployed networks, yielding higher transferability than ensembles or test-time augmentation tricks (Gubri et al., 2020).
  • Limitations of Conventional Defenses: Ensemble adversarial training and input transformations (e.g., JPEG, padding, denoisers) present partial robustness but are circumvented by recent transfer-enhancing attack formulations (Wu et al., 2023, Huang et al., 2021).

7. Current Limitations and Outlook

Several open problems and vulnerabilities persist:

  • Adaptive Defenses: As attack strategies employ more search diversity (e.g., augmentations, model/posterior sampling, candidate ranking), defenses must anticipate transfer rather than simply increasing decision boundary distance as in naïve adversarial training (Yu et al., 20 Apr 2025).
  • Architectural Diversity for Defense: Theoretical and empirical results indicate that transferability is minimized when models rely on genuinely different non-robust features—raising the prospect of defense via enforced representation diversity or trigger mechanisms.
  • Scalability and Efficiency: While techniques such as DA-Attack and PEAS dramatically improve transfer success, they incur greater computational cost per sample or require large candidate pools/augmentation ensembles—posing challenges in real-time/large-batch settings (Avraham et al., 20 Oct 2024, Huang et al., 2021).
  • Segmentation and Detection: Emerging transfer techniques for segmentation (dynamic scaling, weighted pixel strategies) and detection (semantic/heatmap-based perturbations) show that transfer vulnerabilities extend beyond classification and require specifically tailored defenses (Jia et al., 2023, Liao et al., 2021, Gu et al., 2021).

Ongoing and future research is expected to further clarify the interplay between model diversity, attack strategy, uncertainty quantification, and defense design in the context of transferable adversarial examples.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (20)
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.

Whiteboard

Follow Topic

Get notified by email when new papers are published related to Transferable Adversarial Examples.

Add Bell Notification Streamline Icon: https://streamlinehq.com Sign Up to Follow Topic by Email