pith. sign in

arxiv: 2605.18919 · v1 · pith:DDB6YQNDnew · submitted 2026-05-18 · 💻 cs.CR · cs.AI· cs.LG

MoCo-EA: Exploiting Adversarial Mode Connectivity for Efficient Evolutionary Attacks

Hyo Seo Kim , Gang Luo , Can Chen , Binghui Wang , Yue Duan , Ren Wang This is my paper

Pith reviewed 2026-05-20 10:08 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.LG
keywords adversarial attacksevolutionary algorithmsmode connectivityBézier curvestransferabilityblack-box attacksquery efficiencymanifold structure
0
0 comments X

The pith

Adversarial perturbations connect along continuous paths where intermediate points often transfer better than the endpoints themselves.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that successful adversarial perturbations lie on connected manifolds rather than as isolated points. It replaces discrete genetic crossover in evolutionary attacks with a Bézier curve operator that searches along the continuous path between parent perturbations. This geometric exploitation yields higher transferability, faster convergence, and fewer queries to the target model. Readers would care because the approach makes black-box attacks more practical while reframing how we think about the structure of adversarial space.

Core claim

The paper claims that successful adversarial perturbations exhibit mode connectivity, so intermediate points along optimized continuous paths achieve higher transferability than the endpoint perturbations. By introducing a Bézier crossover operator that optimizes perturbations along a continuous curve between parents instead of discrete interpolation, the evolutionary algorithm exploits this structure to produce stronger attacks with reduced query requirements and quicker convergence.

What carries the argument

Bézier crossover operator that optimizes perturbations along a continuous curve between parent perturbations to exploit mode connectivity.

If this is right

  • Evolutionary attacks converge in fewer generations and require fewer queries to the target model.
  • The generated adversarial examples transfer more effectively to unseen models.
  • Adversarial space is better modeled as having manifold structure with useful intermediate points rather than discrete isolated successes.
  • Defense research can target the connecting paths instead of single perturbation points.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Defenses might improve by sampling or disrupting likely paths between known adversarial examples rather than isolated points.
  • The connectivity insight could extend to other black-box optimization problems where discrete recombination wastes useful intermediate structure.
  • Hybrid methods that combine path optimization with limited gradient information may further reduce query budgets on complex models.

Load-bearing premise

Adversarial examples lie on connected manifolds where intermediate points maintain and often enhance attack effectiveness.

What would settle it

Select pairs of successful adversarial perturbations, compute intermediate points along the Bézier curve connecting them, and measure whether those points show lower attack success or transferability than the endpoints.

Figures

Figures reproduced from arXiv: 2605.18919 by Binghui Wang, Can Chen, Gang Luo, Hyo Seo Kim, Ren Wang, Yue Duan.

Figure 1
Figure 1. Figure 1: Overview of MoCo-EA. C&W attacks target different ℓp norms (Carlini & Wag￾ner, 2017), while AutoAttack provides a robust ensemble for evaluation (Croce & Hein, 2020). Stronger transfer￾based variants incorporate momentum (Dong et al., 2018), input diversity (Xie et al., 2019), and translation invariance (Dong et al., 2019). However, most gradient-based meth￾ods operate locally around a single example and d… view at source ↗
read the original abstract

Evolutionary algorithms for adversarial attacks leverage population-based search to discover perturbations without gradient information, but suffer from inefficient crossover operations that destroy adversarial properties through discrete interpolation. We introduce Mode Connectivity Evolutionary Attack (MoCo-EA), which replaces traditional crossover with a novel B\'ezier crossover operator that optimizes perturbations along a continuous B\'ezier curve between parent perturbations. Our key insight is that adversarial examples lie on connected manifolds where intermediate points maintain and often enhance attack effectiveness. We demonstrate three findings: (1) Successful adversarial perturbations exhibit mode connectivity; (2) Intermediate points along optimized paths achieve higher transferability than endpoints; (3) B\'ezier crossover dramatically outperforms discrete genetic operations while reducing convergence time and query requirements. By exploiting the geometric structure of adversarial space through path optimization, MoCo-EA provides an efficient and reliable method. Our work challenges the traditional view of adversarial examples as isolated points and opens new directions for both attack generation and defense research.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. The manuscript introduces MoCo-EA, an evolutionary algorithm for black-box adversarial attacks that replaces discrete crossover with a Bézier curve operator. It claims that successful adversarial perturbations exhibit mode connectivity on connected manifolds, that intermediate points along optimized paths achieve higher transferability than the endpoints, and that the Bézier crossover yields faster convergence and fewer queries than traditional genetic operations.

Significance. If the geometric claims are substantiated, the work reframes adversarial space as having exploitable connectivity rather than isolated points and supplies a practical efficiency gain for gradient-free attacks. This could inform both stronger attack generation and defenses that account for manifold structure.

major comments (1)
  1. [Abstract and §4] Abstract and §4 (Mode Connectivity Experiments): the claim that 'adversarial examples lie on connected manifolds where intermediate points maintain and often enhance attack effectiveness' lacks direct supporting measurements. No loss or attack-success curves are shown for the raw Bézier path (t ∈ (0,1)) prior to auxiliary optimization; without these, it remains possible that reported transferability gains arise from the path-optimization step rather than intrinsic connectivity, weakening the justification for replacing discrete crossover.
minor comments (2)
  1. [§5] The experimental section should include ablation tables that isolate the contribution of the Bézier operator from the rest of the evolutionary loop, with statistical significance reported across runs.
  2. [§3] Notation for the Bézier curve parameterization and the auxiliary optimization objective should be stated explicitly with equations.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We are grateful to the referee for the thorough review and valuable suggestions. The major comment highlights an important aspect of our experimental validation, which we address in detail below. We have prepared revisions to incorporate additional supporting evidence as outlined in our response.

read point-by-point responses

  1. Referee: [Abstract and §4] Abstract and §4 (Mode Connectivity Experiments): the claim that 'adversarial examples lie on connected manifolds where intermediate points maintain and often enhance attack effectiveness' lacks direct supporting measurements. No loss or attack-success curves are shown for the raw Bézier path (t ∈ (0,1)) prior to auxiliary optimization; without these, it remains possible that reported transferability gains arise from the path-optimization step rather than intrinsic connectivity, weakening the justification for replacing discrete crossover.

    Authors: We thank the referee for pointing out this potential gap in our presentation of the mode connectivity results. Upon review, we confirm that the experiments in Section 4 primarily report on the performance after optimizing the Bézier curve parameters to find effective paths. To directly substantiate the intrinsic connectivity of adversarial perturbations, we will revise the manuscript to include new experimental results: specifically, attack success rate and loss curves for raw (unoptimized) Bézier interpolations between pairs of parent adversarial examples, for t ranging from 0 to 1. These curves will demonstrate that a significant portion of intermediate points along the raw paths are successful adversarial examples, supporting our claim that the connectivity is a property of the adversarial manifold rather than solely resulting from the auxiliary optimization. This revision will be added to Section 4 and referenced in the abstract if necessary. We believe this will fully address the concern and strengthen the justification for our Bézier crossover approach. revision: yes

Circularity Check

0 steps flagged

Derivation self-contained; mode connectivity treated as empirical premise, not derived by construction

full rationale

The paper states its key insight directly as an assumption about adversarial manifolds and then reports experimental outcomes from Bézier path optimization. No equations, fitted parameters, or self-citations are presented in the provided text that would reduce the central claims (mode connectivity, improved transferability of intermediates, or superiority of Bézier crossover) to tautological redefinitions or inputs. The findings are framed as demonstrations rather than predictions forced by prior definitions within the work itself. This matches the default expectation of no significant circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claims rest primarily on the domain assumption of mode connectivity in adversarial space; no free parameters or invented entities are explicitly introduced in the abstract.

axioms (1)
  • domain assumption Adversarial examples lie on connected manifolds where intermediate points maintain and often enhance attack effectiveness
    Stated directly as the key insight enabling the Bézier crossover replacement for discrete operations.

pith-pipeline@v0.9.0 · 5708 in / 1028 out tokens · 29246 ms · 2026-05-20T10:08:51.859911+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

36 extracted references · 36 canonical work pages

  1. [1]

    Alzantot, M., Sharma, Y., Chakraborty, S., Zhang, H., Hsieh, C.-J., and Srivastava, M. B. Genattack: Practical black-box attacks with gradient-free optimization. In Genetic and Evolutionary Computation Conference (GECCO), pp.\ 111--119, 2019

    work page 2019

  2. [2]

    Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples

    Athalye, A., Carlini, N., and Wagner, D. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International Conference on Machine Learning (ICML), pp.\ 274--283, 2018

    work page 2018

  3. [3]

    Decision-based adversarial attacks: Reliable attacks against black-box machine learning models

    Brendel, W., Rauber, J., and Bethge, M. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. In International Conference on Learning Representations (ICLR), 2018

    work page 2018

  4. [4]

    and Wagner, D

    Carlini, N. and Wagner, D. Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy (SP), pp.\ 39--57, 2017

    work page 2017

  5. [5]

    Poba-ga: Perturbation optimized black-box adversarial attacks via genetic algorithm

    Chen, J., Su, M., Shen, S., Xiong, H., and Zheng, H. Poba-ga: Perturbation optimized black-box adversarial attacks via genetic algorithm. In Computers & Security, pp.\ 89--106, 2019

    work page 2019

  6. [6]

    I., and Wainwright, M

    Chen, J., Jordan, M. I., and Wainwright, M. J. Hopskipjumpattack: A query-efficient decision-based attack. In IEEE Symposium on Security and Privacy (SP), pp.\ 1277--1294. IEEE, 2020

    work page 2020

  7. [7]

    Zoo: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models

    Chen, P.-Y., Zhang, H., Sharma, Y., Yi, J., and Hsieh, C.-J. Zoo: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In Proceedings of the 10th ACM workshop on artificial intelligence and security, pp.\ 15--26, 2017

    work page 2017

  8. [8]

    C., Roxo, T., Proen c a, H., and Inacio, P

    Costa, J. C., Roxo, T., Proen c a, H., and Inacio, P. R. M. How deep learning sees the world: A survey on adversarial attacks & defenses. IEEE Access, 12: 0 61113--61136, 2024

    work page 2024

  9. [9]

    and Hein, M

    Croce, F. and Hein, M. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In International Conference on Machine Learning (ICML), pp.\ 2206--2216, 2020

    work page 2020

  10. [10]

    Imagenet: A large-scale hierarchical image database

    Deng, J., Dong, W., Socher, R., Li, L.-J., Li, K., and Fei-Fei, L. Imagenet: A large-scale hierarchical image database. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2009

    work page 2009

  11. [11]

    Boosting adversarial attacks with momentum

    Dong, Y., Liao, F., Pang, T., Su, H., Zhu, J., Hu, X., and Li, J. Boosting adversarial attacks with momentum. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp.\ 9185--9193, 2018

    work page 2018

  12. [12]

    Evading defenses to transferable adversarial examples by translation-invariant attacks

    Dong, Y., Pang, T., Su, H., and Zhu, J. Evading defenses to transferable adversarial examples by translation-invariant attacks. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp.\ 4312--4321, 2019

    work page 2019

  13. [13]

    An image is worth 16x16 words: Transformers for image recognition at scale

    Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., and Houlsby, N. An image is worth 16x16 words: Transformers for image recognition at scale. In International Conference on Learning Representations (ICLR), 2021

    work page 2021

  14. [14]

    Essentially no barriers in neural network energy landscape

    Draxler, F., Veschgini, K., Salmhofer, M., and Hamprecht, F. Essentially no barriers in neural network energy landscape. In International Conference on Machine Learning (ICML), 2018

    work page 2018

  15. [15]

    Robustness (python library), 2019

    Engstrom, L., Ilyas, A., Salman, H., Santurkar, S., and Tsipras, D. Robustness (python library), 2019. URL https://github.com/MadryLab/robustness

    work page 2019

  16. [16]

    Freeman, C. D. and Bruna, J. Topology and geometry of half-rectified network optimization. In International Conference on Learning Representations (ICLR), 2017

    work page 2017

  17. [17]

    P., and Wilson, A

    Garipov, T., Izmailov, P., Podoprikhin, D., Vetrov, D. P., and Wilson, A. G. Loss surfaces, mode connectivity, and fast ensembling of dnns. In Advances in Neural Information Processing Systems (NeurIPS), 2018

    work page 2018

  18. [18]

    J., Shlens, J., and Szegedy, C

    Goodfellow, I. J., Shlens, J., and Szegedy, C. Explaining and harnessing adversarial examples. In International Conference on Learning Representations (ICLR), 2015

    work page 2015

  19. [19]

    Deep residual learning for image recognition

    He, K., Zhang, X., Ren, S., and Sun, J. Deep residual learning for image recognition. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp.\ 770--778, 2016

    work page 2016

  20. [20]

    Kingma, D. P. and Ba, J. Adam: A method for stochastic optimization. In International Conference on Learning Representations (ICLR), 2015

    work page 2015

  21. [21]

    Learning multiple layers of features from tiny images

    Krizhevsky, A. Learning multiple layers of features from tiny images. Technical report, University of Toronto, 2009

    work page 2009

  22. [22]

    Li, W., Deka, D., Wang, R., and Paternina, M. R. A. Physics-constrained adversarial training for neural networks in stochastic power grids. IEEE Transactions on Artificial Intelligence, 5 0 (3): 0 1121--1131, 2023

    work page 2023

  23. [23]

    Practical evaluation of adversarial robustness via adaptive auto attack

    Liu, Y., Cheng, Y., Gao, L., Liu, X., Zhang, Q., and Song, J. Practical evaluation of adversarial robustness via adaptive auto attack. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp.\ 15105--15114, 2022

    work page 2022

  24. [24]

    Towards deep learning models resistant to adversarial attacks

    Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A. Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations (ICLR), 2018

    work page 2018

  25. [25]

    Boosting the transferability of adversarial attacks with reverse adversarial perturbation

    Qin, Z., Fan, Y., Liu, Y., Shen, L., Zhang, Y., Wang, J., and Wu, B. Boosting the transferability of adversarial attacks with reverse adversarial perturbation. In Advances in Neural Information Processing Systems (NeurIPS), pp.\ 29845--29858, 2022

    work page 2022

  26. [26]

    Revisiting mode connectivity in neural networks with bezier surface

    Ren, J., Chen, P.-Y., and Wang, R. Revisiting mode connectivity in neural networks with bezier surface. In The Thirteenth International Conference on Learning Representations, 2025

    work page 2025

  27. [27]

    and Wang, R

    Shi, Y. and Wang, R. Exploring nonlinear pathway in parameter space for machine unlearning. Forty-third International Conference on Machine Learning, 2026

    work page 2026

  28. [28]

    V., and Sakurai, K

    Su, J., Vargas, D. V., and Sakurai, K. One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation, 23 0 (5): 0 828--841, 2019

    work page 2019

  29. [29]

    Input space mode connectivity in deep neural networks

    Vrabel, J., Shem-Ur, O., Oz, Y., and Krueger, D. Input space mode connectivity in deep neural networks. In International Conference on Learning Representations (ICLR), 2025

    work page 2025

  30. [30]

    On fast adversarial robustness adaptation in model-agnostic meta-learning

    Wang, R., Xu, K., Liu, S., Chen, P.-Y., Weng, T.-W., Gan, C., and Wang, M. On fast adversarial robustness adaptation in model-agnostic meta-learning. In International Conference on Learning Representations, 2021

    work page 2021

  31. [31]

    M., Stansbury, C

    Wang, R., Chen, T., Lindsly, S. M., Stansbury, C. M., Rehemtulla, A., Rajapakse, I., and Hero, A. O. Rails: A robust adversarial immune-inspired learning system. IEEE Access, 10: 0 22061--22078, 2022 a

    work page 2022

  32. [32]

    Wang, R., Chen, T., Yao, P., Liu, S., Rajapakse, I., and Hero, A. O. Ask: Adversarial soft k-nearest neighbor attack and defense. IEEE Access, 10: 0 103074--103088, 2022 b

    work page 2022

  33. [33]

    Exploring diversified adversarial robustness in neural networks via robust mode connectivity

    Wang, R., Li, Y., and Liu, S. Exploring diversified adversarial robustness in neural networks via robust mode connectivity. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.\ 2346--2352, 2023

    work page 2023

  34. [34]

    Deep adversarial defense against multilevel-lp attacks

    Wang, R., Li, Y., and Hero, A. Deep adversarial defense against multilevel-lp attacks. IEEE International Workshop on Machine Learning for Signal Processing (MLSP), 2024

    work page 2024

  35. [35]

    Xie, C., Zhang, Z., Zhou, Y., Bai, S., Wang, J., Ren, Z., and Yuille, A. L. Improving transferability of adversarial examples with input diversity. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp.\ 2730--2739, 2019

    work page 2019

  36. [36]

    Optimizing robustness and accuracy in mixture of experts: A dual-model approach

    Zhang, X., Xu, K., Hu, Z., and Wang, R. Optimizing robustness and accuracy in mixture of experts: A dual-model approach. In Forty-second International Conference on Machine Learning, 2025

    work page 2025