Enhancing Adversarial Transferability with Adversarial Weight Tuning
Authors: Jiahao Chen, Zhou Feng, Rui Zeng, Yuwen Pu, Chunyi Zhou, Yi Jiang, Yuyou Gan, Jinbao Li, Shouling Ji
AAAI 2025 | Venue PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Extensive experiments on a variety of models with different architectures on Image Net demonstrate that AWT yields superior performance over other attacks, with an average increase of nearly 5% and 10% attack success rates on CNN-based and Transformer-based models, respectively, compared to state-of-the-art attacks. |
| Researcher Affiliation | Academia | 1 College of Computer Science and Technology, Zhejiang University 2 Shandong Artificial Intelligence Institute 3 School of Mathematics and Statistics, Qilu University of Technology |
| Pseudocode | Yes | Algorithm 1: Adversarial Weight Tuning (AWT) attack |
| Open Source Code | No | The paper does not provide an explicit statement about releasing source code or a link to a repository for the methodology described. |
| Open Datasets | Yes | Evaluation is conducted on the Image Net-compatible dataset, which is widely utilized in prior work (Qin et al. 2022; Ge et al. 2023; Qiu et al. 2024). |
| Dataset Splits | No | The paper mentions using an "Image Net-compatible dataset... comprises 1,000 images", but it does not specify how these 1,000 images were split into training, validation, or test sets for the experiments. |
| Hardware Specification | No | The paper does not provide specific hardware details (e.g., GPU/CPU models, memory amounts, or detailed computer specifications) used for running its experiments. |
| Software Dependencies | No | The paper does not provide specific software details with version numbers (e.g., library names with versions like Python 3.8, PyTorch 1.9) needed to replicate the experiment. |
| Experiment Setup | Yes | Following the previous work (Ge et al. 2023; Qin et al. 2022; Qiu et al. 2024), we set the maximum perturbation ϵ = 16.0/255, the number of iterations T = 10, and the step size α = 1.6. For MI and NI, the decay factor µ = 1.0. For VMI, we set the number of sampled examples N = 20 and the upper bound of the neighborhood size β = 1.5 ϵ. For EMI, we set N = 11, the sampling interval bound η = 7, and use linear sampling. For the RAP attack, we set α = 2.0/255, K = 400, the inner iteration number T = 10, the late-start KLS = 100, and the size of neighborhoods ϵn = 16.0/255. For PGN, NCS and AWT, we set N = 20, the balanced coefficient δ = 0.5, and the upper bound ζ = 3.0 ϵ. For AWT alone, we set β = 0.005 and lr = 0.002 for surrogate models used for evaluation. |