基于空频双域特征融合的高迁移性对抗样本生成方法

张世辉; 赵鹏宇; 张尧; 韩少杰

doi:10.12263/DZXB.20250521

您当前的位置：

首页 >

文章列表页 >

基于空频双域特征融合的高迁移性对抗样本生成方法

学术论文 | 更新时间：2026-06-04

- 基于空频双域特征融合的高迁移性对抗样本生成方法
- A Highly Transferable Adversarial Example Generation Method via Spatial-Frequency Dual-Domain Feature Fusion
- 电子学报 2026年54卷第1期页码：125-140
- 作者机构：
  
  1.燕山大学人工智能学院，河北秦皇岛 066000
  2.河北省计算机虚拟技术与系统集成重点实验室，河北秦皇岛 066000
- 作者简介：
  
  [ "张世辉男，1973年出生于河北省赞皇县。现为燕山大学人工智能学院教授、博士生导师。主要研究方向为计算机视觉、人工智能与模式识别、对抗样本生成与防御等。E-mail： sshhzz@ysu.edu.cn" ]
  [ "赵鹏宇男，2002年10月出生于河北省保定市。现为燕山大学硕士研究生。主要研究方向为对抗样本生成和计算机视觉。E-mail： zhaopengyu200210@163.com" ]
  [ "张尧男，2003年5月出生于江苏省淮安市。现为燕山大学硕士研究生。主要研究方向为计算机视觉。E-mail： 19932810534@163.com" ]
  [ "韩少杰男，2001年9月出生于河北省邯郸市。现为燕山大学硕士研究生。主要研究方向为对抗样本生成和计算机视觉。E-mail： hshaojie2023@163.com" ]
- 基金信息：
  
  国家自然科学基金(62476235);河北省自然科学基金(F2023203012)
- DOI：10.12263/DZXB.20250521
  中图分类号： TP391.4;
- 收稿：2025-06-19，
  
  录用：2025-12-30，
  
  纸质出版：2026-01-25
- 稿件说明：
移动端阅览
张世辉, 赵鹏宇, 张尧, 等. 基于空频双域特征融合的高迁移性对抗样本生成方法[J]. 电子学报, 2026, 54(01): 125-140.

ZHANG Shihui, ZHAO Pengyu, ZHANG Yao, et al. A Highly Transferable Adversarial Example Generation Method via Spatial-Frequency Dual-Domain Feature Fusion[J]. Acta Electronica Sinica, 2026, 54(01): 125-140.
张世辉, 赵鹏宇, 张尧, 等. 基于空频双域特征融合的高迁移性对抗样本生成方法[J]. 电子学报, 2026, 54(01): 125-140. DOI：10.12263/DZXB.20250521

ZHANG Shihui, ZHAO Pengyu, ZHANG Yao, et al. A Highly Transferable Adversarial Example Generation Method via Spatial-Frequency Dual-Domain Feature Fusion[J]. Acta Electronica Sinica, 2026, 54(01): 125-140. DOI：10.12263/DZXB.20250521

摘要

尽管深度神经网络在许多领域中均表现出卓越的性能，但对抗样本的存在暴露出其在安全方面的显著缺陷。现有黑盒攻击方法通常仅在单一域中进行对抗攻击，忽视了多域特征协同扰动在提升对抗样本迁移性中的重要作用，且多存在损失函数功能单一问题，难以兼顾目标类别导向与梯度稳定。鉴于此，本文提出了一种基于空频双域特征融合的高迁移性对抗样本生成方法（Spatial-Frequency Dual-domain Feature Fusion，SFDFF）。首先，使用离散余弦变换将输入样本从空间域转换至频率域，区域级融合输入样本与原始样本的频率域特征；其次，利用逆离散余弦变换将输入样本还原至空间域，并向其注入基于原始样本统计特征的噪声；然后，通道级融合输入样本与原始样本的空间域特征；最后，设计了一种兼具目标引导与稳定梯度的双导向损失以进一步提高攻击性能。在ImageNet-Compatible与CIFAR-10数据集上的大量实验验证了所提方法的性能。例如，在ImageNet-Compatible数据集上，当从adv-RN-50模型迁移至LeViT模型时，所提SFDFF方法的攻击成功率较当前最优方法提升了2.5%。本文代码见

https：//github.com/ipkpkpk/SFDFF

https://github.com/ipkpkpk/SFDFF

。

Abstract

Despite the remarkable performance of deep neural networks across various fields

the existence of adversarial examples reveals significant security vulnerabilities. Existing black-box attack methods typically operate within a single domain

overlooking the importance of multi-domain feature co-perturbation in enhancing the transferability of adversarial examples. Moreover

many methods suffer from a single-purpose loss function

making it difficult to balance target class guidance and gradient stability. To address these issues

this paper proposes a high-transferability adversarial examples generation method based on spatial-frequency dual-domain feature fusion (SFDFF). Specifically

the input examples are first transformed from the spatial domain to the frequency domain using the discrete cosine transform

and region-level feature fusion is performed between the input and clean examples in the frequency domain. Then

the input examples are restored to the spatial domain via the inverse discrete

cosine transform

and noise based on the statistical characteristics of the original examples are injected. Next

channel-level fusion of spatial features between the input and clean examples are conducted. Finally

a dual-guidance loss function is designed to simultaneously enhance target class directionality and gradient stability. Extensive experiments on ImageNet-Compatible and CIFAR-10 datasets demonstrate the performance of the proposed method. For instance

the attack success rate of the proposed SFDFF increases by 2.5% compared to the state-of-the-art method when transferred from the adv-RN-50 to LeViT model on ImageNet-Compatible dataset. The code is available at

https://github.com/ipkpkpk/SFDFF

关键词

Keywords

references

He Kaiming , Zhang Xiangyu , Ren Shaoqing , et al . Deep residual learning for image recognition [C ] // 2016 IEEE Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2016 : 770 - 778 . DOI: 10.1109/cvpr.2016.90 http://dx.doi.org/10.1109/cvpr.2016.90

Huang Gao , Liu Zhuang , Van Der Maaten L , et al . Densely connected convolutional networks [C ] // 2017 IEEE Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2017 : 2261 - 2269 . DOI: 10.1109/cvpr.2017.243 http://dx.doi.org/10.1109/cvpr.2017.243

Zhang Peiyuan , Luo Junwei , Yang Xue , et al . PointOBB-v3: Expanding performance boundaries of single point-supervised oriented object detection [J ] . International Journal of Computer Vision , 2025 , 133 ( 9 ): 6108 - 6128 . DOI: 10.1007/s11263-025-02486-4 http://dx.doi.org/10.1007/s11263-025-02486-4

Lin Zhiwei , Liu Zhe , Xia Zhongyu , et al . RCBEVDet: Radar-camera fusion in bird’s eye view for 3D object detection [C ] // 2024 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2024 : 14928 - 14937 . DOI: 10.1109/cvpr52733.2024.01414 http://dx.doi.org/10.1109/cvpr52733.2024.01414

张世辉 , 张晓微 , 宋丹丹 , 等 . 基于逆扰动融合生成对抗网络的对抗样本防御方法 [J ] . 电子学报 , 2023 , 51 ( 4 ): 879 - 884 .

Zhang Shihui , Zhang Xiaowei , Song Dandan , et al . Adversarial example defense method based on inverse perturbation fusing generative adversarial network [J ] . Acta Electronica Sinica , 2023 , 51 ( 4 ): 879 - 884 . (in Chinese)

吴骥 , 邵文泽 , 葛琦 , 等 . 一种基于迭代累积梯度的多层特征重要性攻击方法 [J ] . 电子学报 , 2024 , 52 ( 11 ): 3798 - 3808 .

Wu Ji , Shao Wenze , Ge Qi , et al . A multi-layer feature importance attack method based on iterative accumulated gradients [J ] . Acta Electronica Sinica , 2024 , 52 ( 11 ): 3798 - 3808 . (in Chinese)

王硕 , 徐茹枝 , 关志涛 . 基于主特征归因的对抗样本生成方法研究 [J ] . 电子学报 , 2023 , 51 ( 11 ): 3137 - 3145 .

Wang Shuo , Xu Ruzhi , Guan Zhitao . Research on the generation of adversarial samples based on the attribution of principal features [J ] . Acta Electronica Sinica , 2023 , 51 ( 11 ): 3137 - 3145 . (in Chinese)

Kurakin A , Goodfellow I J , Bengio S . Adversarial examples in the physical world [M ] //Yampolskiy R V. Artificial intelligence safety and security . New York : Chapman and Hall/CRC , 2018 : 99 - 112 . DOI: 10.1201/9781351251389-8 http://dx.doi.org/10.1201/9781351251389-8

Dong Yinpeng , Liao Fangzhou , Pang Tianyu , et al . Boosting adversarial attacks with momentum [C ] // 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2018 : 9185 - 9193 . DOI: 10.1109/cvpr.2018.00957 http://dx.doi.org/10.1109/cvpr.2018.00957

Lin Jiadong , Song Chuanbiao , He Kun , et al . Nesterov accelerated gradient and scale invariance for adversarial attacks [PP/OL ] . V5.arXiv ( 2020-02-03 )[ 2025-06-20 ] . https://arXiv.org/abs/1908.06281 https://arXiv.org/abs/1908.06281 . DOI: 10.1109/icist66592.2025.11306725 http://dx.doi.org/10.1109/icist66592.2025.11306725

Wang Xiaosen , He Kun . Enhancing the transferability of adversarial attacks through variance tuning [C ] // 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2021 : 1924 - 1933 . DOI: 10.1109/cvpr46437.2021.00196 http://dx.doi.org/10.1109/cvpr46437.2021.00196

Xie Cihang , Zhang Zhishuai , Zhou Yuyin , et al . Improving transferability of adversarial examples with input diversity [C ] // 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2019 : 2725 - 2734 . DOI: 10.1109/cvpr.2019.00284 http://dx.doi.org/10.1109/cvpr.2019.00284

Zou Junhua , Pan Zhisong , Qiu Junyang , et al . Improving the transferability of adversarial examples with resized-diverse-inputs, diversity-ensemble and region fitting [C ] // Proceedings of the 16th European Conference on Computer Vision . Heidelberg : Springer , 2020 : 563 - 579 . DOI: 10.1007/978-3-030-58542-6_34 http://dx.doi.org/10.1007/978-3-030-58542-6_34

Dong Yinpeng , Pang Tianyu , Su Hang , et al . Evading defenses to transferable adversarial examples by translation-invariant attacks [C ] // 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2019 : 4307 - 4316 . DOI: 10.1109/cvpr.2019.00444 http://dx.doi.org/10.1109/cvpr.2019.00444

Wang Xiaosen , He Xuanran , Wang Jingdong , et al . Admix: Enhancing the transferability of adversarial attacks [C ] // 2021 IEEE/CVF International Conference on Computer Vision . Piscataway : IEEE , 2022 : 16138 - 16147 . DOI: 10.1109/iccv48922.2021.01585 http://dx.doi.org/10.1109/iccv48922.2021.01585

Long Yuyang , Zhang Qilong , Zeng Boheng , et al . Frequency domain model augmentation for adversarial attack [C ] // Proceedings of the 17th European Conference on Computer Vision . Heidelberg : Springer , 2022 : 549 - 566 . DOI: 10.1007/978-3-031-19772-7_32 http://dx.doi.org/10.1007/978-3-031-19772-7_32

Li Jiachun , Hu Yuchao , Yan Cheng . FDAA: A feature distribution-aware transferable adversarial attack method [J ] . Neural Networks , 2024 , 178 : 106467 . DOI: 10.1016/j.neunet.2024.106467 http://dx.doi.org/10.1016/j.neunet.2024.106467

Zhao Zhengyu , Liu Zhuoran , Larson M . On success and simplicity: A second look at transferable targeted attacks [PP/OL ] . V4.arXiv ( 2021-10-26 )[ 2025-10-10 ] . https://arxiv.org/abs/2012.11207 https://arxiv.org/abs/2012.11207 . DOI: 10.5260/chara.21.2.8 http://dx.doi.org/10.5260/chara.21.2.8

Weng Juanjuan , Luo Zhiming , Li Shoazi , et al . Logit margin matters: Improving transferable targeted adversarial attack by logit calibration [J ] . IEEE Transactions on Information Forensics and Security , 2023 , 18 : 3561 - 3574 . DOI: 10.1109/tifs.2023.3284649 http://dx.doi.org/10.1109/tifs.2023.3284649

Inkawhich N , Liang K J , Carin L , et al . Transferable perturbations of deep feature distributions [PP/OL ] . V1.arXiv ( 2020-04-27 )[ 2025-06-20 ] . https://arXiv.org/abs/2004.12519 https://arXiv.org/abs/2004.12519 .

Byun J , Kwon M J , Cho S , et al . Introducing competition to boost the transferability of targeted adversarial examples through clean feature mixup [C ] // 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2023 : 24648 - 24657 . DOI: 10.1109/cvpr52729.2023.02361 http://dx.doi.org/10.1109/cvpr52729.2023.02361

Weng Juanjuan , Luo Zhiming , Li Shaozi . Improving transferable targeted adversarial attack via normalized logit calibration and truncated feature mixing [J ] . IEEE Transactions on Information Forensics and Security , 2025 , 20 : 4595 - 4609 . DOI: 10.1109/tifs.2025.3563820 http://dx.doi.org/10.1109/tifs.2025.3563820

Liang Kaisheng , Dai Xuelong , Li Yanjie , et al . Improving transferable targeted attacks with feature tuning Mixup [C ] // 2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2025 : 25802 - 25811 . DOI: 10.1109/cvpr52734.2025.02403 http://dx.doi.org/10.1109/cvpr52734.2025.02403

Simonyan K , Zisserman A . Very deep convolutional networks for large-scale image recognition [PP/OL ] . V6.arXiv ( 2015-04-10 )[ 2025-06-20 ] . https://arXiv.org/abs/1409.1556 https://arXiv.org/abs/1409.1556 .

Sandler M , Howard A , Zhu Menglong , et al . MobileNetV2: Inverted residuals and linear bottlenecks [C ] // 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2018 : 4510 - 4520 . DOI: 10.1109/cvpr.2018.00474 http://dx.doi.org/10.1109/cvpr.2018.00474

Tan Mingxing , Le Q V . EfficientNet: Rethinking model scaling for convolutional neural networks [PP/OL ] . V5.arXiv ( 2020-09-11 )[ 2025-10-10 ] . https://arXiv.org/abs/1905.11946 https://arXiv.org/abs/1905.11946 .

Szegedy C , Ioffe S , Vanhoucke V , et al . Inception-v4, inception-ResNet and the impact of residual connections on learning [PP/OL ] . V2.arXiv ( 2016-08-23 )[ 2025-10-10 ] . https://arxiv.org/abs/1602.07261 https://arxiv.org/abs/1602.07261 . DOI: 10.1609/aaai.v31i1.11231 http://dx.doi.org/10.1609/aaai.v31i1.11231

Szegedy C , Vanhoucke V , Ioffe S , et al . Rethinking the inception architecture for computer vision [C ] // 2016 IEEE Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2016 : 2818 - 2826 . DOI: 10.1109/cvpr.2016.308 http://dx.doi.org/10.1109/cvpr.2016.308

Dosovitskiy A , Beyer L , Kolesnikov A , et al . An image is worth 16 × 16 words: Transformers for image recognition at scale [PP/OL ] . V2.arXiv ( 2021-06-03 )[ 2025-06-18 ] . https://arXiv.org/abs/2010.11929 https://arXiv.org/abs/2010.11929 .

Graham B , El-Nouby A , Touvron H , et al . LeViT: A vision transformer in ConvNet’s clothing for faster inference [C ] // 2021 IEEE/CVF International Conference on Computer Vision . Piscataway : IEEE , 2021 : 12239 - 12249 . DOI: 10.1109/iccv48922.2021.01204 http://dx.doi.org/10.1109/iccv48922.2021.01204

D’Ascoli S , Touvron H , Leavitt M L , et al . ConViT: Improving vision transformers with soft convolutional inductive biases [J ] . Journal of Statistical Mechanics: Theory and Experiment , 2022 , 2022 ( 11 ): 114005 . DOI: 10.1088/1742-5468/ac9830 http://dx.doi.org/10.1088/1742-5468/ac9830

Chu Xiangxiang , Tian Zhi , Wang Yuqing , et al . Twins: Revisiting the design of spatial attention in vision transformers [C ] // Proceedings of the 35th International Conference on Neural Information Processing Systems . Red Hook : Curran Associates Inc , 2021 : 716 .

Heo B , Yun S , Han D , et al . Rethinking spatial dimensions of vision transformers [C ] // 2021 IEEE/CVF International Conference on Computer Vision . Piscataway : IEEE , 2021 : 11916 - 11925 . DOI: 10.1109/iccv48922.2021.01172 http://dx.doi.org/10.1109/iccv48922.2021.01172

Pang Tianyu , Xu Kun , Du Chao , et al . Improving adversarial robustness via promoting ensemble diversity [PP/OL ] . V3.arXiv ( 2019-05-29 )[ 2025-10-10 ] . https://arxiv.org/abs/1901.08846 https://arxiv.org/abs/1901.08846 .

Kariyappa S , Qureshi M K . Improving adversarial robustness of ensembles with diversity training [PP/OL ] . V1.arXiv ( 2019-01-28 )[ 2025-06-20 ] . https://arXiv.org/abs/1901.09981 https://arXiv.org/abs/1901.09981 .

Byun J , Cho S , Kwon M J , et al . Improving the transferability of targeted adversarial examples through object-based diverse input [C ] // 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2022 : 15223 - 15232 . DOI: 10.1109/cvpr52688.2022.01481 http://dx.doi.org/10.1109/cvpr52688.2022.01481

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于类别相似性驱动的动态伪目标对抗攻击方法研究

一种基于迭代累积梯度的多层特征重要性攻击方法

结合自适应步长策略和数据增强机制提升对抗攻击迁移性

一种信号外推和层级学习SAR超分辨率方法

基于耦合三角型拓扑的IPD高选择性带通滤波器综合设计和实验研究