Spatial-frequency gradient fusion based model augmentation for high transferability adversarial attack

In recent years, deep learning has gained widespread application across diverse fields, including image classification and machine translation. Nevertheless, the emergence of adversarial examples has revealed a vulnerability of deep learning techniques to potential attacks. Despite the introduction of diverse adversarial attack methods, they are still constrained by certain limitations. Specifically, global perturbations are easily discernible by humans, resulting in poor imperceptibility. Additionally, current methods encounter limited transferability due to their reliance on attacking specific models. To address these challenges, this paper proposed a spatial-frequency gradient fusion based model augmentation for adversarial attack. First, we utilize a Gaussian convolution kernel to pinpoint regions in images that exhibit significant pixel variation, aiming to generate locally imperceptible perturbations undetectable by humans. These areas, which we consider as complex texture regions, are ideal for adding perturbations. Then, we design a perceptual similarity constraint to regulate the generation of perturbations in smooth texture regions. Subsequently, to further enhance the transferability of our method, we propose a spatial-frequency gradient fusion based model augmentation, applying random spectral transformation to shift into the frequency domain for narrowing the differences between models. Additionally, we design complex region scaling transformations in the spatial domain, aimed at capturing common features shared across models. Finally, we integrate the gradients from both the spatial and frequency domains, leveraging the strengths of both to empower attack models in effectively simulating the target model. Extensive experiments conducted on ImageNet and CIFAR-10 datasets have shown that our method attains a remarkable black-box attack success rate of up to 93.1%, with a perceptual loss reduction of approximately 8.39%, while also exhibiting stronger robustness.