Adversarial examples (AEs) for DNNs have been shown to be transferable: AEs that successfully fool white-box surrogate models can also deceive other black-box models with different architectures. Although a bunch of empirical studies have provided guidance on generating highly transferable AEs, many of these findings lack explanations and even lead to inconsistent advice. In this paper, we take a further step towards understanding adversarial transferability, with a particular focus on surrogate aspects. Starting from the intriguing little robustness phenomenon, where models adversarially trained with mildly perturbed adversarial samples can serve as better surrogates, we attribute it to a trade-off between two predominant factors: model smoothness and gradient similarity. Our investigations focus on their joint effects, rather than their separate correlations with transferability. Through a series of theoretical and empirical analyses, we conjecture that the data distribution shift in adversarial training explains the degradation of gradient similarity. Building on these insights, we explore the impacts of data augmentation and gradient regularization on transferability and identify that the trade-off generally exists in the various training mechanisms, thus building a comprehensive blueprint for the regulation mechanism behind transferability. Finally, we provide a general route for constructing better surrogates to boost transferability which optimizes both model smoothness and gradient similarity simultaneously, e.g., the combination of input gradient regularization and sharpness-aware minimization (SAM), validated by extensive experiments. In summary, we call for attention to the united impacts of these two factors for launching effective transfer attacks, rather than optimizing one while ignoring the other, and emphasize the crucial role of manipulating surrogate models.

翻译：深度神经网络（DNN）的对抗样本（AE）已被证明具有可迁移性：成功欺骗白盒代理模型的对抗样本，也能欺骗其他采用不同架构的黑盒模型。尽管大量实证研究为生成高迁移性对抗样本提供了指导，但其中许多发现缺乏解释，甚至导致相互矛盾的建议。本文旨在进一步理解对抗迁移性，特别聚焦于代理方面。从有趣的"微小鲁棒性"现象出发（即使用轻微扰动的对抗样本进行对抗训练的模型能成为更好的代理），我们将其归因于两个主导因素之间的权衡：模型平滑性与梯度相似性。我们的研究聚焦于两者的联合效应，而非它们与迁移性的独立关联。通过一系列理论与实证分析，我们推测对抗训练中的数据分布偏移解释了梯度相似性的退化。基于这些见解，我们探讨了数据增强与梯度正则化对迁移性的影响，并发现该权衡普遍存在于各类训练机制中，由此构建了迁移性背后的调节机制全景蓝图。最后，我们提出构建更优代理的通用路径，通过同步优化模型平滑性与梯度相似性来提升迁移性（例如结合输入梯度正则化与锐度感知最小化（SAM）），并通过大量实验验证。总之，我们呼吁关注这两个因素对发动有效迁移攻击的联合影响，而非片面优化某一因素，并强调操纵代理模型的关键作用。