pith. machine review for the scientific record. sign in

arxiv: 1704.03453 · v2 · submitted 2017-04-11 · 📊 stat.ML · cs.CR· cs.LG

Recognition: unknown

The Space of Transferable Adversarial Examples

Florian Tram\`er , Nicolas Papernot , Ian Goodfellow , Dan Boneh , Patrick McDaniel
Authors on Pith no claims yet
classification 📊 stat.ML cs.CRcs.LG
keywords adversarialexamplesmodelsdimensionalitytransferabilityattacksboundariesdifferent
0
0 comments X
read the original abstract

Adversarial examples are maliciously perturbed inputs designed to mislead machine learning (ML) models at test-time. They often transfer: the same adversarial example fools more than one model. In this work, we propose novel methods for estimating the previously unknown dimensionality of the space of adversarial inputs. We find that adversarial examples span a contiguous subspace of large (~25) dimensionality. Adversarial subspaces with higher dimensionality are more likely to intersect. We find that for two different models, a significant fraction of their subspaces is shared, thus enabling transferability. In the first quantitative analysis of the similarity of different models' decision boundaries, we show that these boundaries are actually close in arbitrary directions, whether adversarial or benign. We conclude by formally studying the limits of transferability. We derive (1) sufficient conditions on the data distribution that imply transferability for simple model classes and (2) examples of scenarios in which transfer does not occur. These findings indicate that it may be possible to design defenses against transfer-based attacks, even for models that are vulnerable to direct attacks.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 4 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. VectorSmuggle: Steganographic Exfiltration in Embedding Stores and a Cryptographic Provenance Defense

    cs.CR 2026-05 unverdicted novelty 7.0

    Steganographic exfiltration attacks succeed on embedding stores via retrieval-preserving perturbations such as small-angle orthogonal rotation, but an Ed25519-based provenance signature closes the attack class.

  2. Towards Deep Learning Models Resistant to Adversarial Attacks

    stat.ML 2017-06 accept novelty 7.0

    Adversarial training via projected gradient descent on the inner maximization problem produces neural networks with substantially improved resistance to a wide range of attacks and establishes security against first-o...

  3. Almost for Free: Crafting Adversarial Examples with Convolutional Image Filters

    cs.LG 2026-05 conditional novelty 6.0

    Optimized 3x3 adversarial image filters based on edge detection generate transferable untargeted attacks on neural networks with 30-80% success using only one pass and far fewer parameters than prior methods.

  4. Quantum Patches: Enhancing Robustness of Quantum Machine Learning Models

    quant-ph 2026-04 unverdicted novelty 6.0

    Random quantum circuits used as adversarial training data reduce successful attack rates on QML models for CIFAR-10 from 89.8% to 68.45% and for CINIC-10 from 94.23% to 78.68%.