Recently, there has been increasing concern about the vulnerability of deep neural network (DNN)-based synthetic aperture radar (SAR) automatic target recognition (ATR) to adversarial attacks, where a DNN could be easily deceived by clean input with imperceptible but aggressive perturbations. This paper studies the synthetic-to-measured (S2M) transfer setting, where an attacker generates adversarial perturbation based solely on synthetic data and transfers it against victim models trained with measured data. Compared with the current measured-to-measured (M2M) transfer setting, our approach does not need direct access to the victim model or the measured SAR data. We also propose the transferability estimation attack (TEA) to uncover the adversarial risks in this more challenging and practical scenario. The TEA makes full use of the limited similarity between the synthetic and measured data pairs for blind estimation and optimization of S2M transferability, leading to feasible surrogate model enhancement without mastering the victim model and data. Comprehensive evaluations based on the publicly available synthetic and measured paired labeled experiment (SAMPLE) dataset demonstrate that the TEA outperforms state-of-the-art methods and can significantly enhance various attack algorithms in computer vision and remote sensing applications. Codes and data are available at https://github.com/scenarri/S2M-TEA.

翻译：近来，深度神经网络（DNN）合成孔径雷达（SAR）自动目标识别（ATR）在对抗攻击下的脆弱性日益引发关注，该类攻击通过施加难以察觉但具有破坏性的扰动，即可轻易欺骗纯净输入。本文研究合成到实测（S2M）迁移场景，攻击者仅基于合成数据生成对抗扰动，并将其迁移至以实测数据训练的受害模型。相较于当前的实测到实测（M2M）迁移设置，本文方法无需直接访问受害模型或实测SAR数据。我们进一步提出迁移性评估攻击（TEA），以揭示该更具挑战性与实用性的场景中的对抗风险。TEA充分利用合成与实测数据对之间的有限相似性，对S2M迁移性进行盲估计与优化，从而在不掌握受害模型与数据的前提下实现可行的替代模型增强。基于公开的合成与实测配对标注实验（SAMPLE）数据集的全方位评估表明，TEA优于现有最先进方法，并能显著增强计算机视觉与遥感应用中的各类攻击算法。代码与数据详见https://github.com/scenarri/S2M-TEA。