Go to TMLR homepageTransform-Triggered Adversarial Examples
Abstract: Deep neural networks are vulnerable to adversarial attacks, yet most existing attack research focuses on adversarial examples that induce fixed, static mispredictions. In this work, we instead exploit a dynamical adversarial manifold that depends on image transforms, which are a group of functions commonly used for data augmentation, preprocessing, and deployment. We incorporate image transforms into the adversarial optimization process, such that at test-time the same transforms, when applied under malicious conditions, act as triggers that induce diverse adversarial behaviors. We show that a single bounded perturbation can encode behaviors that are selectively activated under different transforms.. Our study shows that this transform-dependent property consistently exists across multiple deep network architectures (e.g., CNNs and transformers), computer vision tasks (e.g., image classification and object detection), and a broad range of commonly used image transforms. We further characterize how the number of embeddable targets scales with the transform, the victim architecture, and the perturbation budget. Additionally, to further motivate its real-world relevance, we extend our transform-dependent formulation to a camera-in-the-loop setting, demonstrating its effectiveness under challenging physical conditions. In summary, we introduce a novel and controllable paradigm for adversarial attack deployment, exposing a previously uncharacterized property in deep neural networks.
Submission Type: Regular submission (no more than 12 pages of main content)
Assigned Action Editor: ~Pin-Yu_Chen1
Submission Number: 8016
Loading