Ensemble of Intermediate-Level Attacks to Boost Adversarial Transferability

Yunce ZHAO; Wei HUANG; Wei LIU; Xin YAO

doi:10.1007/978-981-96-6975-2_27

Ensemble of Intermediate-Level Attacks to Boost Adversarial Transferability

Yunce ZHAO^*, Wei HUANG, Wei LIU, Xin YAO

^*Corresponding author for this work

School of Data Science

Research output: Book Chapters | Papers in Conference Proceedings › Conference paper (refereed) › Research › peer-review

Abstract

Adversarial examples are effective at deceiving deep neural network models for which they are specifically crafted and also demonstrate transferability across different models. This characteristic facilitates attacks in black-box scenarios, where the internal workings of the victim models are inaccessible. The Intermediate-Level Attack (ILA) enhances transferability by guiding the direction of the generation of perturbations using intermediate-level outputs. However, ILA struggles with transferring examples between models with different architectures, such as from Convolutional Neural Networks (CNNs) to Vision Transformers (ViTs). To address this, we introduce the Ensemble of Intermediate-Level Attacks (EILA). This approach leverages intermediate outputs from multiple source models to more effectively guide perturbation directions in the generation of adversarial examples. By adopting a shared guidance adversarial example strategy, EILA reduces conflicts in perturbation directions across different models, thereby enhancing overall transfer performance. Experimental results reveal significant enhancements in the transferability of adversarial examples across a range of deep learning models, demonstrating the effectiveness of EILA.

Original language	English
Title of host publication	Neural Information Processing 31st International Conference, ICONIP 2024, Auckland, New Zealand, December 2–6, 2024, Proceedings, Part X
Editors	Mufti MAHMUD, Maryam DOBORJEH, Kevin WONG, Andrew Chi Sing LEUNG, Zohreh DOBORJEH, M. TANVEER
Publisher	Springer
Chapter	27
Pages	393-407
Number of pages	15
ISBN (Electronic)	9789819669752
ISBN (Print)	9789819669745
DOIs	https://doi.org/10.1007/978-981-96-6975-2_27
Publication status	Published - 24 Jun 2025

Publication series

Name	Communications in Computer and Information Science
Volume	2291 CCIS
ISSN (Print)	1865-0929
ISSN (Electronic)	1865-0937

Bibliographical note

Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025.

Funding

This work was supported by the National Natural Science Foundation of China (Grant No. 62250710682), the Guangdong Provincial Key Laboratory (Grant No. 2020B121201001), and the Program for Guangdong Introducing Innovative and Entrepreneurial Teams (Grant No.2017ZT07X386).

Keywords

AI Safety
Adversarial Transferability
Deep Neural Networks
Ensemble
Intermediate-Level Attack

Access to Document

10.1007/978-981-96-6975-2_27

https://link.springer.com/10.1007/978-981-96-6975-2_27

Cite this

ZHAO, Y., HUANG, W., LIU, W., & YAO, X. (2025). Ensemble of Intermediate-Level Attacks to Boost Adversarial Transferability. In M. MAHMUD, M. DOBORJEH, K. WONG, A. C. S. LEUNG, Z. DOBORJEH, & M. TANVEER (Eds.), Neural Information Processing 31st International Conference, ICONIP 2024, Auckland, New Zealand, December 2–6, 2024, Proceedings, Part X (pp. 393-407). (Communications in Computer and Information Science; Vol. 2291 CCIS). Springer. https://doi.org/10.1007/978-981-96-6975-2_27

ZHAO, Yunce ; HUANG, Wei ; LIU, Wei et al. / Ensemble of Intermediate-Level Attacks to Boost Adversarial Transferability. Neural Information Processing 31st International Conference, ICONIP 2024, Auckland, New Zealand, December 2–6, 2024, Proceedings, Part X. editor / Mufti MAHMUD ; Maryam DOBORJEH ; Kevin WONG ; Andrew Chi Sing LEUNG ; Zohreh DOBORJEH ; M. TANVEER. Springer, 2025. pp. 393-407 (Communications in Computer and Information Science).

@inproceedings{1107480f1f5048b2adf8fb5e3fb2230b,

title = "Ensemble of Intermediate-Level Attacks to Boost Adversarial Transferability",

abstract = "Adversarial examples are effective at deceiving deep neural network models for which they are specifically crafted and also demonstrate transferability across different models. This characteristic facilitates attacks in black-box scenarios, where the internal workings of the victim models are inaccessible. The Intermediate-Level Attack (ILA) enhances transferability by guiding the direction of the generation of perturbations using intermediate-level outputs. However, ILA struggles with transferring examples between models with different architectures, such as from Convolutional Neural Networks (CNNs) to Vision Transformers (ViTs). To address this, we introduce the Ensemble of Intermediate-Level Attacks (EILA). This approach leverages intermediate outputs from multiple source models to more effectively guide perturbation directions in the generation of adversarial examples. By adopting a shared guidance adversarial example strategy, EILA reduces conflicts in perturbation directions across different models, thereby enhancing overall transfer performance. Experimental results reveal significant enhancements in the transferability of adversarial examples across a range of deep learning models, demonstrating the effectiveness of EILA.",

keywords = "AI Safety, Adversarial Transferability, Deep Neural Networks, Ensemble, Intermediate-Level Attack",

author = "Yunce ZHAO and Wei HUANG and Wei LIU and Xin YAO",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025.",

year = "2025",

month = jun,

day = "24",

doi = "10.1007/978-981-96-6975-2\_27",

language = "English",

isbn = "9789819669745",

series = "Communications in Computer and Information Science",

publisher = "Springer",

pages = "393--407",

editor = "Mufti MAHMUD and Maryam DOBORJEH and Kevin WONG and LEUNG, \{Andrew Chi Sing\} and Zohreh DOBORJEH and M. TANVEER",

booktitle = "Neural Information Processing 31st International Conference, ICONIP 2024, Auckland, New Zealand, December 2–6, 2024, Proceedings, Part X",

}

ZHAO, Y, HUANG, W, LIU, W & YAO, X 2025, Ensemble of Intermediate-Level Attacks to Boost Adversarial Transferability. in M MAHMUD, M DOBORJEH, K WONG, ACS LEUNG, Z DOBORJEH & M TANVEER (eds), Neural Information Processing 31st International Conference, ICONIP 2024, Auckland, New Zealand, December 2–6, 2024, Proceedings, Part X. Communications in Computer and Information Science, vol. 2291 CCIS, Springer, pp. 393-407. https://doi.org/10.1007/978-981-96-6975-2_27

Ensemble of Intermediate-Level Attacks to Boost Adversarial Transferability. / ZHAO, Yunce; HUANG, Wei; LIU, Wei et al.
Neural Information Processing 31st International Conference, ICONIP 2024, Auckland, New Zealand, December 2–6, 2024, Proceedings, Part X. ed. / Mufti MAHMUD; Maryam DOBORJEH; Kevin WONG; Andrew Chi Sing LEUNG; Zohreh DOBORJEH; M. TANVEER. Springer, 2025. p. 393-407 (Communications in Computer and Information Science; Vol. 2291 CCIS).

Research output: Book Chapters | Papers in Conference Proceedings › Conference paper (refereed) › Research › peer-review

TY - GEN

T1 - Ensemble of Intermediate-Level Attacks to Boost Adversarial Transferability

AU - ZHAO, Yunce

AU - HUANG, Wei

AU - LIU, Wei

AU - YAO, Xin

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025.

PY - 2025/6/24

Y1 - 2025/6/24

N2 - Adversarial examples are effective at deceiving deep neural network models for which they are specifically crafted and also demonstrate transferability across different models. This characteristic facilitates attacks in black-box scenarios, where the internal workings of the victim models are inaccessible. The Intermediate-Level Attack (ILA) enhances transferability by guiding the direction of the generation of perturbations using intermediate-level outputs. However, ILA struggles with transferring examples between models with different architectures, such as from Convolutional Neural Networks (CNNs) to Vision Transformers (ViTs). To address this, we introduce the Ensemble of Intermediate-Level Attacks (EILA). This approach leverages intermediate outputs from multiple source models to more effectively guide perturbation directions in the generation of adversarial examples. By adopting a shared guidance adversarial example strategy, EILA reduces conflicts in perturbation directions across different models, thereby enhancing overall transfer performance. Experimental results reveal significant enhancements in the transferability of adversarial examples across a range of deep learning models, demonstrating the effectiveness of EILA.

AB - Adversarial examples are effective at deceiving deep neural network models for which they are specifically crafted and also demonstrate transferability across different models. This characteristic facilitates attacks in black-box scenarios, where the internal workings of the victim models are inaccessible. The Intermediate-Level Attack (ILA) enhances transferability by guiding the direction of the generation of perturbations using intermediate-level outputs. However, ILA struggles with transferring examples between models with different architectures, such as from Convolutional Neural Networks (CNNs) to Vision Transformers (ViTs). To address this, we introduce the Ensemble of Intermediate-Level Attacks (EILA). This approach leverages intermediate outputs from multiple source models to more effectively guide perturbation directions in the generation of adversarial examples. By adopting a shared guidance adversarial example strategy, EILA reduces conflicts in perturbation directions across different models, thereby enhancing overall transfer performance. Experimental results reveal significant enhancements in the transferability of adversarial examples across a range of deep learning models, demonstrating the effectiveness of EILA.

KW - AI Safety

KW - Adversarial Transferability

KW - Deep Neural Networks

KW - Ensemble

KW - Intermediate-Level Attack

UR - https://www.scopus.com/pages/publications/105010027233

U2 - 10.1007/978-981-96-6975-2_27

DO - 10.1007/978-981-96-6975-2_27

M3 - Conference paper (refereed)

SN - 9789819669745

T3 - Communications in Computer and Information Science

SP - 393

EP - 407

BT - Neural Information Processing 31st International Conference, ICONIP 2024, Auckland, New Zealand, December 2–6, 2024, Proceedings, Part X

A2 - MAHMUD, Mufti

A2 - DOBORJEH, Maryam

A2 - WONG, Kevin

A2 - LEUNG, Andrew Chi Sing

A2 - DOBORJEH, Zohreh

A2 - TANVEER, M.

PB - Springer

ER -

ZHAO Y, HUANG W, LIU W, YAO X. Ensemble of Intermediate-Level Attacks to Boost Adversarial Transferability. In MAHMUD M, DOBORJEH M, WONG K, LEUNG ACS, DOBORJEH Z, TANVEER M, editors, Neural Information Processing 31st International Conference, ICONIP 2024, Auckland, New Zealand, December 2–6, 2024, Proceedings, Part X. Springer. 2025. p. 393-407. (Communications in Computer and Information Science). Epub 2025 Jun 24. doi: 10.1007/978-981-96-6975-2_27