Specifically, we randomly sample an example and adopt a first-order procedure to approximate the Hessian/vector product, which makes computing more efficient by interpolating two neighboring gradients.

Unrestricted adversarial attacks typically manipulate the semantic content of an image ( e.g., color or texture) to create adversarial examples that are both effective and photorealistic, demonstrating their ability to deceive human perception

Traditionally, this transferability is always regarded as a critical threat to the defense against adversarial attacks, however, we argue that the network robustness can be significantly boosted by utilizing adversarial transferability from anewperspective.

We also provide the lower and upper bounds ofadversarial transferability under certain conditions.

We evaluate the identified RSTs' robustness against more attacks on top of two networks on CIFAR-10 as a complement for Sec. As observed from Tab. 1, we can see that the RSTs searched by PGD-7 training are also robust against other attacks. As observed in Figure 1, RSTs drawn from randomly initialized networks achieve a comparable natural accuracy with the RTTs drawn from naturally/adversarially trained networks and adversarial RTTs generally achieve the best natural accuracy. Trained), (2) adversarially trained dense models (Dense Adv. Trained 70.70 74.35 77.20 77.71 75.55 79.22 78.85 77.33 0 81.28 Dense Adv.

Recently, several works have been proposed to boost adversarial transferability, in which the surrogate model is usually overlooked. In this work, we identify that non-linear layers ( e.g .