S4ST: A Strong, Self-transferable, faSt, and Simple Scale Transformation for Data-free Transferable Targeted Attack
Contributions | Evaluation | Analysis | Resources | Acknowledgements | Citation
- We propose self-alignment and self-transferability as blind estimation measures. They serve as effective proxies to analyze basic transformations' effectiveness and synergies without accessing victims or extra data, reducing the reliance on empirical choices common in prior art.
- We pioneer the discovery of simple scaling's superior efficacy in enhancing targeted transferability. This stems from visual data's inherent nature and the universal adoption of scale augmentation during training, revealing a dual-edged sword: practices enhancing generalization simultaneously introduce transfer attack vulnerabilities.
- We propose S4ST, an advanced scaling-centered transformation integrating modified scaling, complementary transformations, and block-wise operations under strict black-box constraints.
- Extensive evaluations across natural images, medical imaging, and face verification validate our framework's transferability. S4ST outperforms existing transformation methods and data-reliant SoTA TTAs (using 50k-1.2M samples), showing robust transferability to commercial APIs and vision-language models (VLMs).
torch==2.1.0, torchvision==0.16.0, timm==0.9.11, or
conda create --name edi -y python=3.10
conda activate edi
conda install pytorch==2.1.0 torchvision==0.16.0 torchaudio==2.1.0 pytorch-cuda=12.1 -c pytorch -c nvidia
python -m pip install -r requirements.txt
⬇️ [Optional] for ODI
conda install -c fvcore -c iopath -c conda-forge fvcore iopath
conda install pytorch3d
You can perform targeted attacks with various input transformation methods, and using a single or multiple surrogate models, with the following command:
python attack.py --surrogate resnet50 (or use multiple models by comma, e.g., resnet50,resnet152,densenet121,vgg16_bn)
--methods None (for baseline, DI/RDI/ODI/SI/Admix/SSA/SIA/BSR/S4ST)
--r 1.9 (to define the scale range [1/s, s])
--pR 0.9 (probability to perform scaling)
--pAug 1.0 (probability to pre-perform orthogonal transformations)
--block [2,3] (blocks for scaling)
--atkiter 900 (more diverse inputs require more steps to converge, previously set to 300)
This will print the save dir. and save all adversarial examples there (at './results/').
Just run the command below to evaluate the generated examples.
python eval.py --path xxx (as the attack.py prints)
--target normal (for CNNs and Vits, 'secured' for robust models)
Run the following command; it will print the results (before that, please download pretrained generators for TTP and M3D and drop them to './models/netG/TTP(M3D)/').
python eval_10targets.py --attack TTP (TTP/M3D/SIA/BSR/S4ST)
please see self_alignment_analysis.py and self_transferability_correlation_analysis.py for details.
Most evaluated models can be automatically downloaded by torchvision and timm. Please manually download other pretrained weights (SIN&IN, Augmix, AT, Ensemble AT) and drop them to './models/weights/'.
The generated adversarial examples for most cases are provided at BaiduNetDisk for further analysis and evaluation, including the RN50-halfRRC and RN50-woRRC weights and results obtained by commercial APIs and VLMs.
This repository benefits a lot from previous works, including CFM, Targeted-Transfer, TransferAttackEval , TransferAttack. Sincere thanks for their contributions to the adversarial machine learning community.
-
If you have any questions, please contact us via pbow16@nudt.edu.cn.
-
If you find our work is useful, please give us a star 🌟 in GitHub and cite our paper in the following BibTex format:
@ARTICLE{liu2026s4st,
author={Liu, Yongxiang and Peng, Bowen and Liu, Li and Li, Xiang},
journal={IEEE Transactions on Pattern Analysis and Machine Intelligence},
title={S $^{4}$ ST: A Strong, Self-transferable, faSt, and Simple Scale Transformation for Data-free Transferable Targeted Attack},
year={2026},
volume={},
number={},
pages={1-17},
doi={10.1109/TPAMI.2026.3679507}
}