基于多视角置信度融合的对抗样本迁移性提升方法

赵畅菲; 邓鑫洋; 蒋雯; 朱金彪; 耿杰

doi:10.12263/DZXB.20260011

您当前的位置：

首页 >

文章列表页 >

基于多视角置信度融合的对抗样本迁移性提升方法

学术论文 | 更新时间：2026-06-16

- 基于多视角置信度融合的对抗样本迁移性提升方法
- A Method for Enhancing the Transferability of Adversarial Examples Based on Multi-Perspective Confidence Fusion
- 电子学报 2026年54卷第3期页码：1062-1077
- 作者机构：
  
  1.西北工业大学电子信息学院，陕西西安 710129
  2.中国科学院空天信息创新研究院，北京 100094
- 作者简介：
  
  赵畅菲男，1999年8月出生于河南省漯河市。现为西北工业大学电子信息学院博士研究生。主要研究方向为智能算法安全。E-mail: cfzhao@mail.nwpu.edu.cn
  邓鑫洋男，1988年8月出生于四川省广安市。现为西北工业大学电子信息学院副教授。主要研究方向为多源信息融合、Dempster-Shafer证据理论、不确定信息建模和处理、智能算法安全。E-mail: xinyang.deng@nwpu.edu.cn
  蒋雯女，1974年3月出生于陕西省西安市。现为西北工业大学电子信息学院教授。主要研究方向为信息融合、人工智能、遥感图像处理、智能算法安全。中国电子学会会员编号：E190020409S。E-mail: jiangwen@nwpu.edu.cn
  朱金彪男，1977年12月出生于山东省德州市。现为中国科学院空天信息创新研究院正高级工程师。主要研究方向为智能遥感系统、微波透视探测技术。E-mail: zhujb@aircas.ac.cn
  耿杰男，1990年12月出生于山西省晋中市。现为西北工业大学电子信息学院副教授。主要研究方向为SAR图像处理、遥感图像分类、小样本学习。E-mail: gengjie@nwpu.edu.cn
- 基金信息：
  
  国家自然科学基金(62573350);陕西省重点研发计划(2024QY2-GJHX-05)
- DOI：10.12263/DZXB.20260011
  中图分类号： TP391;
- 收稿：2026-02-11，
  
  录用：2026-03-19，
  
  纸质出版：2026-03-25
- 稿件说明：
移动端阅览
赵畅菲, 邓鑫洋, 蒋雯, 等. 基于多视角置信度融合的对抗样本迁移性提升方法[J]. 电子学报, 2026, 54(03): 1062-1077.

ZHAO Changfei, DENG Xinyang, JIANG Wen, et al. A Method for Enhancing the Transferability of Adversarial Examples Based on Multi-Perspective Confidence Fusion[J]. Acta Electronica Sinica, 2026, 54(03): 1062-1077.
赵畅菲, 邓鑫洋, 蒋雯, 等. 基于多视角置信度融合的对抗样本迁移性提升方法[J]. 电子学报, 2026, 54(03): 1062-1077. DOI：10.12263/DZXB.20260011

ZHAO Changfei, DENG Xinyang, JIANG Wen, et al. A Method for Enhancing the Transferability of Adversarial Examples Based on Multi-Perspective Confidence Fusion[J]. Acta Electronica Sinica, 2026, 54(03): 1062-1077. DOI：10.12263/DZXB.20260011

摘要

对抗攻击揭示了深度学习模型的脆弱性，有效的对抗攻击方法有助于发现模型的潜在漏洞。现有的梯度对抗攻击方法过度拟合受攻击的白盒模型特性，对黑盒模型的迁移攻击性能较差。针对黑盒模型开展迁移对抗攻击研究，提出了一种基于多视角置信度融合的对抗样本迁移性提升方法，并作为通用模块嵌入到基于梯度的对抗攻击过程，以提升对抗样本的迁移性。具体而言，设计了基于双像素空间的多视角变换策略，引导模型在不同通道与空间尺度下感知图像信息，从而扩充模型的重点关注区域，针对图像形成差异化的关注分布，实现对图像信息的多视角感知；为建模视角间的冲突与不确定性，利用证据理论框架提出了基于冲突感知的置信度融合方法，从模型多个视角下的输出置信度提取预测的共性信息，避免视角特异性带来的决策干扰，有效提升模型多视角决策融合的可靠性；设计了一种双向损失优化函数，优化对抗样本偏离正确的模型决策边界，引导其处于跨视角、跨模型共享的脆弱区域，从而提升对黑盒模型的迁移攻击能力。实验表明，本文方法在跨模型架构攻击场景下能够有效提升对抗样本的迁移性，现有梯度对抗攻击组合多视角置信度融合方法后，对常规训练的卷积神经网络（Convolutional Neural Network，CNN）和Transformer架构模型的迁移攻击成功率平均提升了21.15%和13.02%，对防御模型的迁移攻击成功率平均提升了13.84%，对集成模型的迁移攻击成功率平均提升了16.14%。

Abstract

Adversarial attacks expose the vulnerabilities of deep learning models

and effective adversarial attack methods aid in uncovering potential weaknesses. Existing gradient-based adversarial attacks overfit the characteristics of attacked white-box models

resulting in poor transferability for black-box models. This paper investigates transferable adversarial attacks for black-box models

proposing a multi-perspective confidence fusion-based method to enhance the transferability of adversarial examples. This approach is integrated as a universal component into gradient-based adversarial attack processes to improve transferability. Specifically

a multi-perspective transformation strategy based on dual-pixel space is designed to guide the model in perceiving image information across different channels and spatial scales

thereby expanding the model’s areas of focus

generating a differentiated attention distribution for the image

and enabling multi-view perception of image information. To model conflicts and uncertainties across different perspectives

a conflict-aware confidence fusion method based on the evidence theory framework is proposed. This method extracts common predictive information from the confidence outputs of the model across multiple perspectives

thereby avoiding decision-making interference caused by perspective-specific biases and effectively enhancing the reliability of multi-perspective decision fusion. A bidirectional loss optimization function is designed to optimize the deviation of adversarial examples from the correct model decision boundary

guiding them to lie in the shared vulnerable regions across different views and models

thereby improving the transfer attack performance against black-box models. Experiments show that the proposed method can effectively improve the transferability of adversarial examples in cross-model architecture attack scenarios. After integrating the existing gradient-based adversarial attacks with the multi-perspective confidence fusion method

the transfer attack success rate is improved by an average of 21.15% and 13.02% for conventionally trained convolutional neural networks (CNNs) and Transformer models

respectively

by 13.84% for defense models

and by 16.14% for ensemble models.

关键词

Keywords

references

吴亚军 , 刘礼文 . 一种基于深度学习水下高速航行器的目标识别方法研究 [J ] . 指挥控制与仿真 , 2025 , 47 ( 2 ): 87 - 94 .

Wu Yajun , Liu Liwen . Research on an underwater high-speed vehicle target recognition method based on deep learning [J ] . Command Control & Simulation , 2025 , 47 ( 2 ): 87 - 94 . (in Chinese)

王浩添 , 冀振元 , 化青龙 , 等 . 基于多分支多信息多深度复值特征融合网络的SAR舰船目标识别方法 [J ] . 电子学报 , 2025 , 53 ( 10 ): 3759 - 3772 .

Wang Haotian , Ji Zhenyuan , Hua Qinglong , et al . Recognition method of ship targets for SAR based on M3Net [J ] . Acta Electronica Sinica , 2025 , 53 ( 10 ): 3759 - 3772 . (in Chinese)

Han Wenqi , Jiang Wen , Geng Jie , et al . Difference-complementary learning and label reassignment for multimodal semi-supervised Semantic segmentation of remote sensing images [J ] . IEEE Transactions on Image Processing , 2025 , 34 : 566 - 580 . DOI: 10.1109/tip.2025.3526064 http://dx.doi.org/10.1109/tip.2025.3526064

Xu Mai , Sun Xiancheng , Li Shengxi , et al . Spherical patch generative adversarial net for unconditional panoramic image generation [J ] . IEEE Transactions on Image Processing , 2025 , 34 : 3833 - 3848 . DOI: 10.1109/tip.2025.3578257 http://dx.doi.org/10.1109/tip.2025.3578257

刘文钊 , 郭凯威 . 面向深度神经网络视觉模型对抗鲁棒性的攻击与防御方法研究综述 [J ] . 网络安全技术与应用 , 2025 ( 1 ): 42 - 48 .

Liu Wenzhao , Guo Kaiwei . A review of attack and defense methods targeting the adversarial robustness of deep neural network vision models [J ] . Network Security Technology & Application , 2025 ( 1 ): 42 - 48 . (in Chinese)

刘洁怡 , 李明哲 , 杨曜铭 , 等 . 基于频域多目标优化的SAR图像对抗样本生成方法 [J ] . 电子学报 , 2025 , 53 ( 6 ): 1958 - 1968 .

Liu Jieyi , Li Mingzhe , Yang Yaoming , et al . A multi-objective optimization method in the frequency domain for SAR image adversarial sample generation [J ] . Acta Electronica Sinica , 2025 , 53 ( 6 ): 1958 - 1968 . (in Chinese)

Braiek H B , Reid T , Khomh F . Physics-guided adversarial machine learning for aircraft systems simulation [J ] . IEEE Transactions on Reliability , 2023 , 72 ( 3 ): 1161 - 1175 . DOI: 10.1109/tr.2022.3196272 http://dx.doi.org/10.1109/tr.2022.3196272

Dong Yinpeng , Liao Fangzhou , Pang Tianyu , et al . Boosting adversarial attacks with momentum [C ] // 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2018 : 9185 - 9193 . DOI: 10.1109/cvpr.2018.00957 http://dx.doi.org/10.1109/cvpr.2018.00957

Xie Cihang , Zhang Zhishuai , Zhou Yuyin , et al . Improving transferability of adversarial examples with input diversity [C ] // 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2019 : 2725 - 2734 . DOI: 10.1109/cvpr.2019.00284 http://dx.doi.org/10.1109/cvpr.2019.00284

Dong Yinpeng , Pang Tianyu , Su Hang , et al . Evading defenses to transferable adversarial examples by translation-invariant attacks [C ] // 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2019 : 4307 - 4316 . DOI: 10.1109/cvpr.2019.00444 http://dx.doi.org/10.1109/cvpr.2019.00444

冯卫栋 , 余东 , 张淳杰 , 等 . 基于扰动响应的自适应集成黑盒对抗攻击算法 [J ] . 自动化学报 , 2025 , 51 ( 8 ): 1788 - 1799 .

Feng Weidong , Yu Dong , Zhang Chunjie , et al . Perturbation response-based adaptive ensemble black-box adversarial attack algorithm [J ] . Acta Automatica Sinica , 2025 , 51 ( 8 ): 1788 - 1799 . (in Chinese)

Wang Xiaosen , Lin Jiadong , Hu Han , et al . Boosting adversarial transferability through enhanced momentum [C ] // 32nd British Machine Vision Conference . Durham : BMVA Press , 2021 . DOI: 10.5244/c.35.186 http://dx.doi.org/10.5244/c.35.186

Gao Yue , Shumailov I , Fawaz K . SEA: Shareable and explainable attribution for query-based black-box attacks [C ] // 2025 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML) . Piscataway : IEEE , 2025 : 439 - 458 . DOI: 10.1109/satml64287.2025.00031 http://dx.doi.org/10.1109/satml64287.2025.00031

Xiong Yifeng , Lin Jiadong , Zhang Min , et al . Stochastic variance reduced ensemble adversarial attack for boosting the adversarial transferability [C ] // 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2022 : 14963 - 14972 . DOI: 10.1109/cvpr52688.2022.01456 http://dx.doi.org/10.1109/cvpr52688.2022.01456

Ma Wenshuo , Li Yidong , Jia Xiaofeng , et al . Transferable adversarial attack for both vision transformers and convolutional networks via momentum integrated gradients [C ] // 2023 IEEE/CVF International Conference on Computer Vision . Piscataway : IEEE , 2023 : 4607 - 4616 . DOI: 10.1109/iccv51070.2023.00427 http://dx.doi.org/10.1109/iccv51070.2023.00427

Liu Yanpei , Chen Xinyun , Liu Chang , et al . Delving into transferable adversarial examples and black-box attacks [C ] // 5th International Conference on Learning Representations . Toulon : ICLR , 2017 : 2235 - 2248 .

Szegedy C , Zaremba W , Sutskever I , et al . Intriguing properties of neural networks [C ] // 2nd International Conference on Learning Representations . Banff : ICLR , 2014 : 1 - 10 .

Goodfellow I J , Shlens J , Szegedy C . Explaining and harnessing adversarial examples [C ] // 3rd International Conference on Learning Representations . San Diego : ICLR , 2015 : 1 - 11 .

Kurakin A , Goodfellow I J , Bengio S . Adversarial examples in the physical world [M ] //Yampolskiy R V. Artificial intelligence safety and security . New York : Chapman and Hall/CRC , 2018 : 99 - 112 . DOI: 10.1201/9781351251389-8 http://dx.doi.org/10.1201/9781351251389-8

Li Qizhang , Guo Yiwen , Zuo Wangmeng , et al . Making substitute models more Bayesian can enhance transferability of adversarial examples [C ] // 11th International Conference on Learning Representations . Kigali : ICLR , 2023 : 37295 - 37310 .

Chen Bin , Yin Jiali , Chen Shukai , et al . An adaptive model ensemble adversarial attack for boosting adversarial transferability [C ] // 2023 IEEE/CVF International Conference on Computer Vision . Piscataway : IEEE , 2023 : 4466 - 4475 . DOI: 10.1109/iccv51070.2023.00414 http://dx.doi.org/10.1109/iccv51070.2023.00414

Gan Fuquan , Yan Wo . Boosting the transferability of adversarial examples through gradient aggregation [J ] . IEEE Transactions on Information Forensics and Security , 2025 , 20 : 5563 - 5576 . DOI: 10.1109/tifs.2025.3574989 http://dx.doi.org/10.1109/tifs.2025.3574989

Wang Jiafeng , Chen Zhaoyu , Jiang Kaixun , et al . Boosting the transferability of adversarial attacks with global momentum initialization [J ] . Expert Systems with Applications , 2024 , 255 : 124757 . DOI: 10.1016/j.eswa.2024.124757 http://dx.doi.org/10.1016/j.eswa.2024.124757

Li Zhankai , Wang Weiping , Li Jie , et al . Foolmix: Strengthen the transferability of adversarial examples by dual-blending and direction update strategy [J ] . IEEE Transactions on Information Forensics and Security , 2024 , 19 : 5286 - 5300 . DOI: 10.1109/tifs.2024.3393745 http://dx.doi.org/10.1109/tifs.2024.3393745

Wang Kunyu , He Xuanran , Wang Wenxuan , et al . Boosting adversarial transferability by block shuffle and rotation [C ] // 2024 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2024 : 24336 - 24346 . DOI: 10.1109/cvpr52733.2024.02297 http://dx.doi.org/10.1109/cvpr52733.2024.02297

Wang Xiaosen , He Xuanran , Wang Jingdong , et al . Admix: Enhancing the transferability of adversarial attacks [C ] // 2021 IEEE/CVF International Conference on Computer Vision . Piscataway : IEEE , 2021 : 16138 - 16147 . DOI: 10.1109/iccv48922.2021.01585 http://dx.doi.org/10.1109/iccv48922.2021.01585

Qian Yaguan , Chen Kecheng , Wang Bin , et al . Enhancing transferability of adversarial examples through mixed-frequency inputs [J ] . IEEE Transactions on Information Forensics and Security , 2024 , 19 : 7633 - 7645 . DOI: 10.1109/tifs.2024.3430508 http://dx.doi.org/10.1109/tifs.2024.3430508

Guo Yu , Liu Weiquan , Xu Qingshan , et al . Boosting adversarial transferability through augmentation in hypothesis space [C ] // 2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2025 : 19175 - 19185 . DOI: 10.1109/cvpr52734.2025.01786 http://dx.doi.org/10.1109/cvpr52734.2025.01786

Ma Chen , Chen Li , Yong Junhai . Simulating unknown target models for query-efficient black-box attacks [C ] // 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2021 : 11830 - 11839 . DOI: 10.1109/cvpr46437.2021.01166 http://dx.doi.org/10.1109/cvpr46437.2021.01166

Yin Fei , Zhang Yong , Wu Baoyuan , et al . Generalizable black-box adversarial attack with meta learning [J ] . IEEE Transactions on Pattern Analysis and Machine Intelligence , 2024 , 46 ( 3 ): 1804 - 1818 . DOI: 10.1109/tpami.2022.3194988 http://dx.doi.org/10.1109/tpami.2022.3194988

郑德生 , 郑舜天 , 李晓瑜 , 等 . CBA: 基于圆几何性质的黑盒攻击方法 [J/OL ] . 计算机工程 , 2025-03-26 . https://doi.org/10.19678/j.issn.1000-3428.0070476 https://doi.org/10.19678/j.issn.1000-3428.0070476 .

Zheng Desheng , Zheng Shuntian , Li Xiaoyu , et al . CBA: Black box attack based on circular geometric properties [J/OL ] . Computer Engineering , 2025-03-26 . https://doi.org/10.19678/j.issn.1000-3428.0070476 https://doi.org/10.19678/j.issn.1000-3428.0070476 . (in Chinese)

Van De Weijer J , Gevers T , Gijsenij A . Edge-based color constancy [J ] . IEEE Transactions on Image Processing , 2007 , 16 ( 9 ): 2207 - 2214 . DOI: 10.1109/tip.2007.901808 http://dx.doi.org/10.1109/tip.2007.901808

Zeiler M D , Fergus R . Visualizing and understanding convolutional networks [C ] // 13th European Conference on Computer Vision . Heidelberg : Springer , 2014 : 818 - 833 . DOI: 10.1007/978-3-319-10590-1_53 http://dx.doi.org/10.1007/978-3-319-10590-1_53

LeCun Y , Bengio Y , Hinton G . Deep learning [J ] . Nature , 2015 , 521 ( 7553 ): 436 - 444 . DOI: 10.1038/nature14539 http://dx.doi.org/10.1038/nature14539

Hu Tingyu , Yin Haibing , Wang Hongkui , et al . Pixel-domain just noticeable difference modeling with heterogeneous color features [J ] . Sensors , 2023 , 23 ( 4 ): 1788 . DOI: 10.3390/s23041788 http://dx.doi.org/10.3390/s23041788

Russakovsky O , Deng Jia , Su Hao , et al . ImageNet large scale visual recognition challenge [J ] . International Journal of Computer Vision , 2015 , 115 ( 3 ): 211 - 252 . DOI: 10.1007/s11263-015-0816-y http://dx.doi.org/10.1007/s11263-015-0816-y

Szegedy C , Vanhoucke V , Ioffe S , et al . Rethinking the inception architecture for computer vision [C ] // 2016 IEEE Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2016 : 2818 - 2826 . DOI: 10.1109/cvpr.2016.308 http://dx.doi.org/10.1109/cvpr.2016.308

Szegedy C , Ioffe S , Vanhoucke V , et al . Inception-v4, inception-ResNet and the impact of residual connections on learning [J ] . Proceedings of the AAAI Conference on Artificial Intelligence , 2017 , 31 ( 1 ): 4278 - 4284 . DOI: 10.1609/aaai.v31i1.11231 http://dx.doi.org/10.1609/aaai.v31i1.11231

He Kaiming , Zhang Xiangyu , Ren Shaoqing , et al . Deep residual learning for image recognition [C ] // 2016 IEEE Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2016 : 770 - 778 . DOI: 10.1109/cvpr.2016.90 http://dx.doi.org/10.1109/cvpr.2016.90

Tramèr F , Kurakin A , Papernot N , et al . Ensemble adversarial training: Attacks and defenses [C ] // 6th International Conference on Learning Representations . Vancouver : ICLR , 2018 : 1894 - 1913 .

Liu Zihao , Liu Qi , Liu Tao , et al . Feature distillation: DNN-oriented JPEG compression against adversarial examples [C ] // 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2019 : 860 - 868 . DOI: 10.1109/cvpr.2019.00095 http://dx.doi.org/10.1109/cvpr.2019.00095

Xu Weilin , Evans D , Qi Yanjun . Feature squeezing: Detecting adversarial examples in deep neural networks [C ] // 25th Annual Network and Distributed System Security Symposium . Rosten : The Internet Society , 2018 : 1 - 16 . DOI: 10.14722/ndss.2018.23198 http://dx.doi.org/10.14722/ndss.2018.23198

Guo Chuan , Rana M , Cissé M , et al . Countering adversarial images using input transformations [C ] // 6th International Conference on Learning Representations . Vancouver : ICLR , 2018 : 4914 - 4925 .

Xie Cihang , Wang Jianyu , Zhang Zhishuai , et al . Mitigating adversarial effects through randomization [C ] // 6th International Conference on Learning Representations . Vancouver : ICLR , 2018 : 960 - 975 .

Dosovitskiy A , Beyer L , Kolesnikov A , et al . An image is worth 16x16 words: Transformers for image recognition at scale [C ] // 9th International Conference on Learning Representations . Vienna : ICLR , 2021 : 611 - 631 .

Liu Ze , Lin Yutong , Cao Yue , et al . Swin transformer: Hierarchical vision transformer using shifted windows [C ] // 2021 IEEE/CVF International Conference on Computer Vision . Piscataway : IEEE , 2021 : 9992 - 10002 . DOI: 10.48550/arXiv.2103.14030 http://dx.doi.org/10.48550/arXiv.2103.14030

Liu Ze , Hu Han , Lin Yutong , et al . Swin transformer V2: Scaling up capacity and resolution [C ] // 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2022 : 11999 - 12009 . DOI: 10.1109/cvpr52688.2022.01170 http://dx.doi.org/10.1109/cvpr52688.2022.01170

Tu Zhengzhong , Talebi H , Zhang Han , et al . MaxViT: Multi-axis vision transformer [C ] // 17th European Conference on Computer Vision . Heidelberg : Springer , 2022 : 459 - 479 . DOI: 10.1007/978-3-031-20053-3_27 http://dx.doi.org/10.1007/978-3-031-20053-3_27

Chen Pei , Feng Zhiyong , Xing Meng , et al . Exploring imperceptible adversarial examples in YC b C r color space [C ] // 30th International Conference on Multimedia Modeling . Heidelberg : Springer , 2024 : 242 - 256 . DOI: 10.1007/978-3-031-53311-2_18 http://dx.doi.org/10.1007/978-3-031-53311-2_18

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

针对图像分类的鲁棒物理域对抗伪装

基于引导扩散模型的自然对抗补丁生成方法

基于特征膨胀卷积模块的轻量化技术研究

基于不确定性协作图和双层聚合机制的个性化联邦医学图像分割

面向自动驾驶的混合架构哈密顿-雅可比-贝尔曼近端策略优化方法研究