Subject screening To gain entry into the study, subjects were required to first perform a "demo" task consisting of 100 We refer to measures of human choice probability that are lapse-rate correct in this manner as "Normalized" (e.g., Supp. The typically observed lapse rates were quite low (median over subjects: 0%; mean 4.9%), indicating Figure 3: Human disruption rates are largely stable across stimulus presentation times. At shorter viewing times, we observed modest or no increases in disruption rate. Source images were captured with a smartphone camera. ImageNet classes, as previously defined in robustness library [2].

We consider the blackbox transfer-based targeted adversarial attack threat model in the realm of deep neural network (DNN) image classifiers. Rather than focusing on crossing decision boundaries at the output layer of the source model, our method perturbs representations throughout the extracted feature hierarchy to resemble other classes. We design a flexible attack framework that allows for multi-layer perturbations and demonstrates state-of-the-art targeted transfer performance between ImageNet DNNs. We also show the superiority of our feature space methods under a relaxation of the common assumption that the source and target models are trained on the same dataset and label space, in some instances achieving a $10\times$ increase in targeted success rate relative to other blackbox transfer methods. Finally, we analyze why the proposed methods outperform existing attack strategies and show an extension of the method in the case when limited queries to the blackbox model are allowed.

Retrieval-Augmented Generation (RAG) increases the reliability and trustworthiness of the LLM response and reduces hallucination by eliminating the need for model retraining. It does so by adding external data into the LLM's context. We develop a new class of black-box attack, RAG-Pull, that inserts hidden UTF characters into queries or external code repositories, redirecting retrieval toward malicious code, thereby breaking the models' safety alignment. We observe that query and code perturbations alone can shift retrieval toward attacker-controlled snippets, while combined query-and-target perturbations achieve near-perfect success. Once retrieved, these snippets introduce exploitable vulnerabilities such as remote code execution and SQL injection. RAG-Pull's minimal perturbations can alter the model's safety alignment and increase preference towards unsafe code, therefore opening up a new class of attacks on LLMs.

Weaknesses: - The first major concern is the limited methodological contribution compared to FDA. The proposed method just aggregates (i.e., sum) FDA objectives of multiple layers and adding the cross-entropy term like other attack methods; in other words, these approaches are straightforward. Although the improvements of the proposed method are meaningful, it is not surprising or interesting results. TMIM/SGM methods do not use the training data for the white-box model while FDA-based frameworks use the data for training auxiliary functions g. In my opinion, access to only pre-trained white-box models largely differs from that to whole training data, and thus the latter uses more knowledge than the former.

We consider the blackbox transfer-based targeted adversarial attack threat model in the realm of deep neural network (DNN) image classifiers. Rather than focusing on crossing decision boundaries at the output layer of the source model, our method perturbs representations throughout the extracted feature hierarchy to resemble other classes. We design a flexible attack framework that allows for multi-layer perturbations and demonstrates state-of-the-art targeted transfer performance between ImageNet DNNs. We also show the superiority of our feature space methods under a relaxation of the common assumption that the source and target models are trained on the same dataset and label space, in some instances achieving a 10\times increase in targeted success rate relative to other blackbox transfer methods. Finally, we analyze why the proposed methods outperform existing attack strategies and show an extension of the method in the case when limited queries to the blackbox model are allowed.