The transfer-based black-box adversarial attack setting poses the challenge of crafting an adversarial example (AE) on known surrogate models that remain effective against unseen target models. Due to the practical importance of this task, numerous methods have been proposed to address this challenge. However, most previous methods are heuristically designed and intuitively justified, lacking a theoretical foundation. To bridge this gap, we derive a novel transferability bound that offers provable guarantees for adversarial transferability. Our theoretical analysis has the advantages of \textit{(i)} deepening our understanding of previous methods by building a general attack framework and \textit{(ii)} providing guidance for designing an effective attack algorithm. Our theoretical results demonstrate that optimizing AEs toward flat minima over the surrogate model set, while controlling the surrogate-target model shift measured by the adversarial model discrepancy, yields a comprehensive guarantee for AE transferability. The results further lead to a general transfer-based attack framework, within which we observe that previous methods consider only partial factors contributing to the transferability. Algorithmically, inspired by our theoretical results, we first elaborately construct the surrogate model set in which models exhibit diverse adversarial vulnerabilities with respect to AEs to narrow an instantiated adversarial model discrepancy. Then, a \textit{model-Diversity-compatible Reverse Adversarial Perturbation} (DRAP) is generated to effectively promote the flatness of AEs over diverse surrogate models to improve transferability. Extensive experiments on NIPS2017 and CIFAR-10 datasets against various target models demonstrate the effectiveness of our proposed attack.

翻译：基于迁移的黑盒对抗攻击场景面临一个挑战：如何在已知代理模型上生成对抗样本（AE），使其对未知目标模型仍然有效。由于该任务的实际重要性，已有许多方法被提出以应对这一挑战。然而，大多数现有方法基于启发式设计且仅凭直觉论证，缺乏理论基础。为弥补这一空白，我们推导出一个新的迁移性上界，为对抗迁移性提供了可证明的保证。我们的理论分析具有以下优势：(i) 通过构建通用攻击框架，加深了对现有方法的理解；(ii) 为设计有效的攻击算法提供了指导。理论结果表明，在代理模型集合上优化AE的平坦极小值，同时通过对抗模型差异度控制代理-目标模型偏移，能够为AE的迁移性提供全面保证。该结果进一步导出一个通用的基于迁移的攻击框架，在此框架下，我们观察到现有方法仅考虑了影响迁移性的部分因素。在算法层面，受理论结果启发，我们首先精心构造代理模型集合，其中各模型针对AE展现出多样化的对抗脆弱性，以缩小实例化的对抗模型差异度。随后，生成一种与模型多样性兼容的反向对抗扰动（DRAP），有效促进AE在多样化代理模型上的平坦性，从而提升迁移性。在NIPS2017和CIFAR-10数据集上针对多种目标模型的大量实验证明了我们提出攻击方法的有效性。