Transfer attacks generate significant interest for real-world black-box applications by crafting transferable adversarial examples through surrogate models. Whereas, existing works essentially directly optimize the single-level objective w.r.t. the surrogate model, which always leads to poor interpretability of attack mechanism and limited generalization performance over unknown victim models. In this work, we propose the \textbf{B}il\textbf{E}vel \textbf{T}ransfer \textbf{A}ttac\textbf{K} (BETAK) framework by establishing an initialization derived bilevel optimization paradigm, which explicitly reformulates the nested constraint relationship between the Upper-Level (UL) pseudo-victim attacker and the Lower-Level (LL) surrogate attacker. Algorithmically, we introduce the Hyper Gradient Response (HGR) estimation as an effective feedback for the transferability over pseudo-victim attackers, and propose the Dynamic Sequence Truncation (DST) technique to dynamically adjust the back-propagation path for HGR and reduce computational overhead simultaneously. Meanwhile, we conduct detailed algorithmic analysis and provide convergence guarantee to support non-convexity of the LL surrogate attacker. Extensive evaluations demonstrate substantial improvement of BETAK (e.g., $\mathbf{53.41}$\% increase of attack success rates against IncRes-v$2_{ens}$) against different victims and defense methods in targeted and untargeted attack scenarios. The source code is available at https://github.com/callous-youth/BETAK.

翻译：迁移攻击通过代理模型生成可迁移的对抗样本，在现实世界黑盒应用中引起广泛关注。然而，现有工作本质上直接针对代理模型优化单层目标，这往往导致攻击机制可解释性差，且在未知受害模型上泛化性能有限。本工作提出\textbf{双}层\textbf{迁}移\textbf{攻}击\textbf{K}（BETAK）框架，通过建立初始化推导的双层优化范式，显式地重构了上层（UL）伪受害攻击者与下层（LL）代理攻击者之间的嵌套约束关系。在算法层面，我们引入超梯度响应（HGR）估计作为伪受害攻击者间可迁移性的有效反馈，并提出动态序列截断（DST）技术以动态调整HGR的反向传播路径，同时降低计算开销。此外，我们进行了详细的算法分析，并为LL代理攻击者的非凸性提供了收敛性保证。大量评估表明，BETAK在定向与非定向攻击场景中，针对不同受害模型与防御方法均实现了显著提升（例如，攻击IncRes-v$2_{ens}$的成功率提升$\mathbf{53.41}$\%）。源代码发布于https://github.com/callous-youth/BETAK。