Treffer: SFA: Spatial-Frequency Adversarial Attack method.

Adversarial attacks can successfully fool deep neural networks (DNNs) by perturbing the input, and adversarial examples help evaluate the defensive capabilities of DNNs. In black-box scenarios, adversarial examples exhibit low transferability against normally trained and defensive models. In this paper, we propose a Spatial Frequency Adversarial Attack (SFA), which operates in both spatial and frequency domains. Specifically, in the spatial domain, inspired by Stochastic Average Gradient (SAG) optimization, we leverage historical information to create an initial neighborhood sampling example and then sample nearby it to propose an Average Historical Gradient Sample Method (AHGSM), optimizing and stabilizing the gradient update direction while introducing high-frequency perturbations. In the frequency domain, we make a groundbreaking discovery that JPEG compression affects normally trained and adversarially trained models differently. Next, We validate this hypothesis by examining the frequency-domain characteristics of effective adversarial examples. Finally, we propose a two-stage attack SFA by integrating JPEG compression as a frequency-based attack with spatial-based AHGSM. Abundant experiments on the ImageNet dataset show that SFA significantly improves the transferability of adversarial examples against both normally and adversarially trained models, establishing it as a state-of-the-art attack in spatial and frequency domains. • AHGSM : A spatial attack using historical gradients and high-freq perturbations. • Frequency Insight : Dropping high-freq aids attacking adversarially trained models. • SFA : A two-stage attack combining AHGSM with JPEG compression. • SFA outperforms state-of-the-art attacks on different types of models. [ABSTRACT FROM AUTHOR]