Adversarial examples are one critical security threat to various visual applications, where injected human-imperceptible perturbations can confuse the output.Generating transferable adversarial examples in the black-box setting is crucial but challenging in practice. Existing input-diversity-based methods adopt different image transformations, but may be inefficient due to insufficient input diversity and an identical perturbation step size. Motivated by the fact that different image regions have distinctive weights in classification, this paper proposes a black-box adversarial generative framework by jointly designing enhanced input diversity and adaptive step sizes. We design local mixup to randomly mix a group of transformed adversarial images, strengthening the input diversity. For precise adversarial generation, we project the perturbation into the $tanh$ space to relax the boundary constraint. Moreover, the step sizes of different regions can be dynamically adjusted by integrating a second-order momentum.Extensive experiments on ImageNet validate that our framework can achieve superior transferability compared to state-of-the-art baselines.

翻译：对抗样本是各类视觉应用中的关键安全威胁，其通过注入人眼不可察觉的扰动即可干扰模型输出。在黑盒场景下生成可迁移的对抗样本虽至关重要却极具挑战性。现有基于输入多样性的方法采用不同图像变换，但因输入多样性不足以及扰动步长固定而导致效率受限。受不同图像区域在分类中具有差异化权重的启发，本文提出一种通过联合设计增强型输入多样性与自适应步长的黑盒对抗生成框架。我们设计局部混合策略，对一组经过变换的对抗图像进行随机混合，从而强化输入多样性。为实现精准对抗生成，将扰动投影至tanh空间以松弛边界约束。此外，通过引入二阶动量实现不同区域步长的动态调整。在ImageNet上的大量实验表明，与当前最优基线方法相比，本框架可实现更优越的可迁移性能。