Robustness and Transferability of Adversarial Attacks on Different Image Classification Neural Networks

Abstract

Recent works demonstrated that imperceptible perturbations to input data, known as adversarial examples, can mislead neural networks’ output. Moreover, the same adversarial sample can be transferable and used to fool different neural models. Such vulnerabilities impede the use of neural networks in mission-critical tasks. To the best of our knowledge, this is the first paper that evaluates the robustness of emerging CNN- and transformer-inspired image classifier models such as SpinalNet and Compact Convolutional Transformer (CCT) against popular white- and black-box adversarial attacks imported from the Adversarial Robustness Toolbox (ART). In addition, the adversarial transferability of the generated samples across given models was studied. The tests were carried out on the CIFAR-10 dataset, and the obtained results show that the level of susceptibility of SpinalNet against the same attacks is similar to that of the traditional VGG model, whereas CCT demonstrates better generalization and robustness. The results of this work can be used as a reference for further studies, such as the development of new attacks and defense mechanisms.

1. Introduction

A growing amount of data and the efficiency of deep neural networks (DNNs) for complex learning problems make deep learning-based solutions ubiquitous in a wide range of domains. The popular neural architectures and their applications include convolutional neural networks for image classification [1], long short-term memory for speech recognition [2], and transformer neural networks for machine translation [3]. However, in [4], the authors reported two counter-intuitive properties that can be used to deceive the neural network. The process of intentional generation and the addition of such feature perturbations designed to mislead the neural model is now known as an adversarial attack. Later, more works demonstrated that different neural models exhibit different levels of adversarial vulnerability and robustness, which are typically measured by achieved accuracy after the applied attack [5,6,7]. In real-world applications, adversarial attacks and defenses of DNNs in medical imaging showed that even a limited amount of perturbation could significantly impact the result of diagnosis [8]. Moreover, attacks can be crafted in real-time, as in the case of autonomous driving systems [9]. As a result, a new area of adversarial attack defense has emerged, which can be implemented via model and/or data optimization and using additional networks [10]. The applied perturbations to the input can be measured by different ${\ell }_p$-norms and used to determine the strength of the attack [11]. Susceptibility to ${\ell }_p$-norm bounded attacks implies low robustness capabilities of a model against realistic threats [12]. Moreover, recent works demonstrated that an adversarial example designed for the easy-to-attack model can attack the hard-to-attack model.

Currently, the research area of adversarial attacks and defense is highly active, and there is a growing number of studies. According to the proposed taxonomy [13], adversarial attacks can be injected at the training or testing phases. Perturbations added to the input data to generate adversarial examples can be specific or universal. In the first case, different perturbations are added to each input, resulting in different perturbation patterns. In the latter case, added perturbations are the same [10]. Based on the number of iterations required to generate an adversarial example, attacks can be either one-shot/one-step or iterative [10]. In addition, the types of adversarial attacks can be tentatively classified based on the degree of knowledge, adversarial scenarios, and goals [13]. If the attacker has complete knowledge of the neural model parameters, then the attack is known as a white-box attack. In contrast, if the attacker has zero knowledge, it is known as a black-box attack [14]. In the case of a limited degree of knowledge, the attacks belong to the gray-box class. Depending on the adversarial goals, attacks can be targeted, untargeted, or aim to reduce the degree of confidence of neural networks. Untargeted attacks try to misguide the model to predict any of the incorrect classes, whereas targeted attacks aim to misguide the model to produce specific incorrect classes [15]. Moreover, an adversarial example can be designed on different training datasets [16]. This is known as the transferability. Therefore, along with the robustness to adversarial attacks, some works such as [17] tested the concept of transferability of the models and searched for ways to protect systems and to create a defense against attacks.

Studying adversarial robustness and transferability is crucial for several reasons. Firstly, model trustfulness and security are important for deploying transparent mission- and business-critical applications. Secondly, exploring the generalizability and transferability of the model is one of the major steps toward developing a defense mechanism. This work explores the robustness of CNN- and transformer-based classifier neural model architectures against white-box and black-box evasion adversarial attacks and their transferability. The studied neural models include the popular Very Deep Convolutional Network (VGG) [18], somatosensory system-inspired SpinalNet [19], and the newly developed CCT-7/3 × 1 [20]. The performance of the VGG model, including its vulnerability, is widely studied and often serves as a foundational baseline for many neural networks [21]. SpinalNet is promising for multi-scale feature extraction, whereas CCT relies on hierarchical feature extraction and decomposition. To the best of our knowledge, the robustness and transferability of these models have not been studied before. Their robustness was examined against four white-box attacks: Carlini and Wagner ${\ell }_2$, Carlini and Wagner ${\ell }_{inf}$, the Fast Gradient Sign Method (FGSM), and AutoAttack, and three black-box attacks: SquareAttack, HopSkipJump, and PixelAttack. The attacks used were primarily chosen based on their popularity in testing adversarial robustness and, secondly, on the most promising results in early testing stages using pre-trained VGG models extracted from the torchvision module in PyTorch. Additionally, the transferability rate of the adversarial examples between the given models was evaluated to determine whether or not the tested models can be used to create a defense system against the adversary. It should be noted that adversarial defense mechanisms will not be covered in this work.

The contributions of this paper are summarized in the following points:

• We evaluated the robustness of SpinalNet and CCT models against popular targeted and non-targeted attacks;
• We assessed the attack transferability of the non-targeted attacks between VGG, SpinalNet, and CCT.

The paper is organized as follows: Section 2 gives a brief introduction to the generation of attacks and background on attacks used to craft adversarial examples, including four white-box and three black-box attacks extracted from the Adversarial Robustness Toolbox (ART) [22] which is a Python library developed to evaluate and defend machine learning models. Related works are summarized in Section 3. Section 4 provides a background on the neural network architectures utilized to evaluate robustness against adversarial attacks. Section 5 covers the robustness and transferability tests setup. Finally, Section 6 provides results and analysis on the robustness and transferability of the given neural models.

2. Background

2.1. Generation of the Evasion Attacks

Applying an attack during the testing phase helps to evaluate the model’s vulnerability, whereas, during the training phase, it helps to improve its robustness and assess attack transferability. Most of the proposed attacks during the testing phase adopted evasion scenarios [13] and were created by adding a malicious input sample to fool the neural network. Given some input data and the corresponding classes $C_1,\dots ,C_k$ with the decision boundaries specified by discriminants $g_i(·)$ where $i=1,\dots ,k$; the input x belongs to the input class $C_i$. An adversarial attack is an intentional malicious attempt to replace original input x with an adversarial example $x^{\prime }$ which leads to the high possibility of misclassification of $C_i\left(x\right)$ as a target class $C_t\left(x^{\prime }\right)$ [16]. The adversarial examples are input with human-imperceptible perturbation such that the perturbed input $x^{\prime }=x+\delta$, where $\delta$ is the additive adversarial attack [23,24]. The set of possible attacks satisfies the following boundary condition:

$$\begin{array}{cccc}\hfill & \underset{j\ne t}{\mathrm{maximize}}\hfill & \hfill & \left\{g_j\left(x^{\prime }\right)\right\}-g_t\left(x^{\prime }\right)\le 0\hfill \end{array}$$

(1)

where $g_t\left(x^{\prime }\right)$ is a discriminant value of the target class $C_t$ and $g_j\left(x^{\prime }\right)$ is a discriminant of other classes in the classifier.

A similarity between the original input x and modified input $x^{\prime }$ is quantified using a distance metric ${\ell }_p$ = ${\Vert x-x^{\prime }\Vert }_p$, also known as a norm. Each norm refers to a different mode of functioning used by the attacks to alter the original data and create the corresponding adversarial examples [24].

• The ${\ell }_0$ norm is used to indicate the number of features altered to create the added perturbation on the images;
• The ${\ell }_1$ norm indicates the sum of the added perturbations to the crafted examples;
• The ${\ell }_2$ norm specifies the Euclidean distance of the added perturbation to the original image;
• The ${\ell }_{inf}$ norm is used to stipulate the maximum added perturbation.

The process of finding attack $x^{\prime }$ requires solving the optimization problem, which aims to minimize the magnitude of perturbation $\delta$ or to minimize the distance between $x^{\prime }$ and x. Currently, the following most commonly used attacks can be distinguished [23]:

• Minimum norm attack: ensures the minimum magnitude of perturbation;
• Maximum allowable attack: the magnitude of the attack is upper bounded by ${\Vert x-x^{\prime }\Vert }_p$$\le ϵ$;
• Regularization-based attack: tries to simultaneously minimize two objectives such as ${\Vert x-x^{\prime }\Vert }_p$ and $ma{x}_{j\ne t}\left\{g_j\left(x^{\prime }\right)\right\}-g_t\left(x^{\prime }\right)$.

The attack success rate (ASR) is the metric that shows the proportion of adversarial examples that fooled the model [13]. In some cases, an adversarial example generated to mislead one classifier model can also be transferred to deceive another model. It should be noted the attacks crafted under white-box attack conditions can be transferred to a black-box setting [25]. Section 2.2 and Section 2.3 below provide a background on attacks applied in this work.

2.2. White-Box Attacks

2.2.1. Carlini and Wagner

Carlini and Wagner (C&W) proposed three new effective attack algorithms customized to three distance metrics ${\ell }_0$, ${\ell }_2$, and ${\ell }_{inf}$ [16]. The initial formulation of finding an adversarial instance can be described as follows:

$$\mathrm{minimize}\mathcal{D}(x,x+\delta )$$

(2)

such that $x+\delta \in {[0,1]}^n$ and $C(x+\delta )=C\left(x^{\prime }\right)=C_t$ where $C_t$ is the target label, $\delta$ is the additive adversarial attack, $\mathcal{D}$ is some distance metric [16]. Since the formulation in Equation (2) was difficult to solve, it was updated with an additional constant c with the objective function f:

$$\mathrm{minimize}\mathcal{D}(x,x+\delta )+c·f(x+\delta )$$

(3)

such that $x+\delta \in {[0,1]}^n$ and $c>0$ [16]. Besides different norms, objective function has a set of constraints $\mathsf{\Omega }$ and a decision boundary between classes $C_i$ and $C_t$.

For the targeted Carlini and Wagner attack, the objective function can be expressed as follows:

$$\ell (c,x^{\prime })=\Vert x^{\prime }-x{\Vert }_2^2+c·\ell \left(x^{\prime }\right)$$

(4)

Our work utilizes two of the attacks based on ${\ell }_2$ and ${\ell }_{inf}$. In a targeted attack, the C&W ${\ell }_2$ attack aims to find the smallest value of c such that $\ell \left(x^{\prime }\right)=0$ with the smallest adversarial perturbation $\Vert x^{\prime }-x{\Vert }_2^2$. In ART, the value of c is searched using a binary search. The untargeted attack has the only constraint on classes $C\left(x^{\prime }\right)\ne C\left(x\right)$.

Unlike C&W ${\ell }_2$, the C&W ${\ell }_{inf}$ attack works iteratively and operates on batches instead of individual images [26]. This attack aims to find $x^{\prime }$ such that $\ell \left(x^{\prime }\right)=0$ while $\Vert x-x^{\prime }{\Vert }_{\infty }\le ϵ$ for a given $ϵ>0$ in the ${\ell }_{inf}$ norm constraint [22]. It should be noted that the implementation of this attack in ART [22] differs from the originally presented version in [16]. For targeted and untargeted cases, C&W ${\ell }_{inf}$ has the same constraints as C&W ${\ell }_2$.

2.2.2. Fast Gradient Sign Method

The Fast Gradient Sign Method (FGSM) adds perturbation with respect to the loss function in a single step and, therefore, is easily implemented [24,27]. The FGSM considers the sign of the gradients of the loss function with respect to the original input image. In the case of the targeted the FGSM attack and ${\ell }_{inf}$, a new adversarial example is created using the perturbation in the following Equation (5) [22]:

$$\psi \left(x,y\right)=-ϵ.\mathrm{sign}\left({\nabla }_x\mathcal{L}\left(x,y\right)\right)$$

(5)

where x is the input, y is the target, $ϵ$ is the attack strength [22], and the $\mathcal{L}$ is the loss function. The FGSM attack is mainly chosen for its high efficiency as it only requires one gradient evaluation and can be applied to a batch of inputs instead of singular inputs. For our work, the attack was used in the untargeted default setting in which the original input x is transformed in a way that increases the loss of the classifier when continuing to label x as $C\left(x\right)$.

2.2.3. AutoAttack

AutoAttack is an ensemble of parameter-free attacks with low computational cost, which makes it suitable for a minimal test of the robustness of a model [28]. It combines the White-Box Auto Projected Gradient Descent Attack (AutoPGD or APGD), the DeepFool, and the Black-Box SquareAttack attacks. Moreover, it has fixed hyperparameters and is fully automatic [28].

The Projected Gradient Descent (PGD) attack is one of the most popular methods to test the robustness of a model. However, in some cases, it fails due to two potential reasons: (i) a step size and (ii) a cross-entropy loss function. AutoPGD is a gradient-based with an alternative loss function which was designed to overcome limitations of PGD [28]. In particular, in AutoPGD, each iteration $N_{iter}$ is split into exploration and exploitation phases. The aim of the first phase is to identify a set of adequate initial points, and the goal of the next phase is to maximize the accumulated knowledge. Progressive reduction in the step size takes place during the transition between the phases. The DeepFool attack is an untargeted fast but low-accuracy attack [29]. It aims to iteratively search for decision boundaries between classes in the ${\ell }_2$ norm [22]. DeepFool has been adapted for binary and multiclass classifiers.

The description of SquareAttack is provided in Section 2.3.1 below. Moreover, unlike DeepFool and APGD attacks, our work includes an independent evaluation of SquareAttack apart from AutoAttack.

2.3. Black-Box Attacks

2.3.1. SquareAttack

The SquareAttack attack is a ${\ell }_2$ and ${\ell }_{inf}$ score-based attack, and, for a given input, it has access only to the score predicted by a classifier. It performs a random search to select the area to alter. SquareAttack does not exploit any gradient approximation, which makes it safe against gradient masking. The height of the square delimiting the area to alter is the closest positive integer to $\sqrt{p\times w^2}$ with p being the percentage of elements of the original image to modify and w the width of the image of size $w\times w$.

The algorithm of the attack was developed in a way that ensures that the changes made to the original sample are localized. This means that, at each step, only a small fraction of the contiguous square-shaped pixels are modified. The first step in the algorithm is to choose the height of the square to be altered. Then, a random update is computed and added to the previously computed iterate. If the loss function resulting from that addition is better than all previous computed losses, the change is accepted and applied. Otherwise, it is discarded [30].

2.3.2. HopSkipJump

The HopSkipJump attack is a recently developed attack based on a new estimate of the gradient direction using binary information gathered at the decision boundary [31]. It aims to minimize the distance to the target image while staying at the adversarial side of the boundary. The functioning of this attack is best described by an illustration shown in Figure 1 extracted from [31].

The first step shown in Figure 1 is the binary search to locate the boundary and update the binary point. Then, an estimate of the gradient is obtained at the boundary point, and geometric progression occurs to locate the closest point to the boundary but still in the adversarial region. The identified adversarial point is saved, and then a binary search is performed again to find the second boundary point, and so on [31].

2.3.3. PixelAttack

The PixelAttack is a low-cost and straightforward attack. Instead of small-spread perturbations, it perturbs one pixel:

$$\begin{array}{cccc}\hfill & \underset{e^{x*}}{\mathrm{maximize}}\hfill & \hfill & f_{adv}(x+e\left(x\right))\hfill \\ \hfill & \mathrm{subject}\mathrm{to}\hfill & \hfill & \Vert e\left(x\right){\Vert }_0\le d\hfill \end{array}$$

(6)

where d is a small number and equal to 1 for ${\ell }_0$ one-pixel attack. PixelAttack generates adversarial perturbations based on either Differential Evolution (DE) or Covariance Matrix Adaptation (CMA-ES). The corresponding perturbation is then applied to a single pixel in the image to compose the adversarial example [32]. In our research, PixelAttack was applied using the default option set in the attack using CMA-ES.

3. Related Work

Generally, there is no common opinion on how adversarial examples are generated [10]. One group of academic circles believes that a low probability of adversarial examples already exists in real data. Some works [27,33,34] employ the ${\ell }_0$-${\ell }_1$-${\ell }_2$ norm to improve image quality and classification accuracy. The other group assumes that the vulnerability of neural networks comes with linear features of the model due to the use of linear activation functions [10]. In addition, early works studied the role of each layer in handling adversarial examples and showed that neural networks could be fooled by compromising certain layers [35,36]. In particular, the most susceptible layers in VGG16 against attacks generated using DLFuzz were $Block4\_conv1$ and $Block5\_conv1$ [37].

Attributes of the popular attacks against CNN-based image classification models and their reported strengths were earlier summarized in [38]. According to the presented results, the weakest attack is one-pixel attack, which changes only one pixel of an image [32]. On the contrary, Carlini and Wagner attacks restricted by their ${\ell }_p$-norm [16] are among the strongest. Interestingly, attention blocks added to image classification CNN models increase robustness against adversarial examples [39]. Recent works demonstrated that attention-based transformer models, and Vision Transformer (ViT) in particular, show better performance in computer vision tasks than state-of-the-art CNN models [40]. Moreover, ViT and its hybrid models are more robust than CNN models when different pre-processing methods are applied [21].

Table 1. The attack success rate (ASR) of the adversarial examples (AEs) for 1000 images from ImageNet-1k [21].

Type of Attack	ASR (%) Top-1 Error
	FGSM	C&W ${\mathit{\ell }}_{\mathbf{2}}$	C&W ${\mathit{\ell }}_{\mathit{inf}}$	PGD ${\mathit{\ell }}_{\mathbf{2}}$
ViT-S-16	47.80	99.70	100.00	90.00
Vit-B-16	50.00	98.10	95.80	94.10
ViT-L-16	39.80	95.90	94.80	88.40
ResNet50	43.80	99.50	100.00	90.70
VGG-16	89.00	99.90	100.00	98.90

shows the success rate of attacks applied on different ViT configurations and CNN models without pre-processing steps.

A comprehensive exploration of the robustness and transferability of different CNN architectures was recently published in [41]. This work considered architectures such as VGG-16, VGG-19, ResNet-50, ResNet-152v2, MobileNet v2, EfficientNetB0, and DenseNet201. The results showed that attacks designed for deeper CNNs are effective in fooling CNNs with less depth. For instance, adversarial examples developed using the surrogate DenseNet201 model achieved transferability accuracy on other networks above 90%, whereas an attack designed using VGG-16 achieved transferability accuracy between 15 and 72% on the same models. In [42], the authors tried to understand the transferability between CNNs and ViTs based on the inductive bias phenomenon, which is an ability to generalize to unseen data.

4. Neural Network Models

In this work, the robustness and transferability of various adversarial attacks presented in Section 2 were studied for three types of image classifiers. Since CNN (Figure 2a) and transformer models dominate image classification tasks, the first model type is a widely spread VGG architecture. The second model of interest is a lightweight compact transformer-based CCT. Initially designed for natural language processing, transformers have rapidly evolved and been used in computer vision [20]. The integration of transformers into the computer vision field started with Vision Transformers (ViTs). However, the need for an excessive amount of data to train ViTs led to the development of their compact version, CCTs, with added sequence pooling and convolutional blocks (Figure 2b) [20]. The third model is SpinalNet, a novel neural network architecture with gradual input that aims to reduce computational overhead during both training and inference [19]. Inspired by the body’s somatosensory system, the architecture of SpinalNet consists of three main rows: the input row, the intermediate row, and the output row, as shown in Figure 2c [19]. At the input row, input data are split and repeatedly passed to the intermediate row, which comprises several hidden layers with non-linear activation functions. The number of neurons in those layers is kept small to reduce computations. The output row then sums up the weighted outputs generated by the hidden layers of the intermediate row. The result can be split and passed to the next hidden states if required. The effectiveness of SpinalNet was verified on different configurations of CNN, VGG, ResNet, and DenseNet neural networks for regression and classification problems.

5. DNN Model Robustness and Transferability Testing Setup

Analyses of the robustness and transferability of the selected models were conducted using four white-box attacks and three black-box attacks presented in Section 2. The vulnerability of the neural network models and success rate of attacks were studied during the testing phase using evasion or poisoning attacks as summarized in Figure 3. The evaluation was carried out in the PyTorch framework with attacks imported from the Adversarial Robustness Toolbox (ART). The models were evaluated on both untargeted and targeted attacks. The adversarial hyperparameters of each attack were chosen based on the default settings of the ART. Target classes in the case of targeted attacks were chosen randomly.

5.1. Data and Models

This work considers three topologies of neural models—SpinalNet, VGG, and CCT. The VGG group comprises VGG-11, VGG-13, VGG-16, and VGG-19. The SpinalNet group includes neural network configurations such as SpinalNet-11, SpinalNet-13, SpinalNet-16, and SpinalNet-19 that are based on VGG models. And the last one is the CCT-7/3 × 1 configuration.

The classifier models were tested on the widely used CIFAR-10 dataset. In the case of SpinalNet and VGG models, the input shape was 3 × 32 × 32, and the dataset values were clipped between (0, 1). In the case of the CCT-7/3 × 1 model, the CIFAR-10 dataset images had to be normalized before being fed to the model. For normalization, a mean was specified as (0.4914, 0.4822, 0.4465), and the standard deviation as (0.2471, 0.2435, 0.2616). This was performed to acquire the same accuracy mentioned in [20].

5.2. Setup

5.2.1. Testing Robustness

Training and testing of robustness of SpinalNet models and their VGG counterparts on the non-normalized CIFAR-10 dataset were carried out using the codes provided in [43]. The supervised training was performed for over 200 epochs with a learning rate equal to 0.0001. The loss function used to train is the “CrossEntropyLoss” function, and the utilized optimizer is the Adam optimizer in all classifiers. Evaluation of the CCT-7/3 × 1 model was conducted on the pre-trained model using 5000 epochs [20]. The utilized loss function was the “HingeEmbeddingLoss” function.

5.2.2. Transferability

In this work, the transferability of non-targeted attacks between SpinalNet models and their VGG counterparts and that of both SpinalNet and VGG with CCT-7/3 × 1 were evaluated (Figure 4). Since crafting adversarial examples is a time-consuming process, transferability tests were conducted on the attacks generated during robustness tests. However, since the data used to train and test the VGG models and their SpinalNet counterparts were not normalized, unlike those used for CCT-7/3 × 1, we had to normalize the examples crafted on VGG and SpinalNet before transferring them to CCT-7/3 × 1 using the same values of mean and standard deviation mentioned above and denormalize those crafted on CCT-7/3 × 1 before transferring them to the VGG and SpinalNet models.

6. Results and Discussion

6.1. Robustness

Evaluation of the robustness of VGG, SpinalNet, and CCT on the same attacks showed that they all are vulnerable to adversarial examples. In the case of non-targeted attacks (more details in Appendix A.1), in a few cases, SpinalNet models appeared to be slightly more robust than their VGG counterparts. But overall, SpinalNet and VGG classifier models respond similarly to all applied attacks. This means that the splits in the SpinalNet architecture do not provide advantages over the fully connected layers in VGG against perturbations, and both models were fooled at early layers and interfered with the performance of subsequent layers. The best performance of SpinalNet and VGG models was observed against PixelAttack (around 20%). The largest accuracy drops were observed for the AutoAttack and the SquareAttack (always below 3%), and the latter, as mentioned earlier, is part of the AutoAttack. This means that CNN features such as multichanneling, weight sharing, downsampling, and locality do not resist attacks in vision tasks.

When comparing our results with those obtained for Vision Transformers (ViTs) in [17], it can be concluded that SpinalNet models show better promise for robustness against adversarial attacks than ViTs. Nevertheless, our work also demonstrates that in most cases, the CCT-7/3 × 1 model, which also has a convolutional component, appeared to be more robust than SpinalNet and VGG. CCTs are especially good at detecting relatively simple adversarial examples such as the FGSM (93.77%) and PixelAttack (84.89%). For C&W ${\ell }_{inf}$ and AutoAttack, the wrapping classifier’s accuracy for the CCT model is similar to that of SpinalNet and VGG (below 8% and 3%, respectively). Surprisingly, C&W ${\ell }_2$ attack demonstrated weakness against the CCT model with an accuracy drop of up to 40.7%, whereas in the case of SpinalNet and VGG, its performance was comparable to C&W ${\ell }_{inf}$. In [44], the authors show that despite close adversarial accuracy, the distribution of attacks may differ, and this can explain the sensitivity of CCT. The only attack that appeared to mislead CCT-7/3 × 1 even more than SpinalNet and VGG is HopSkipJump, which shows the advantage of the binary search in misleading transformers. In fact, with the HopSkipJump attack, when an adversarial example is located at the boundary between adversarial and non-adversarial samples, the accuracy of CCT-7/3 × 1 dropped from 98.00% to 0.99%. This means CCT can be confused by the closeness of adversarial examples to the decision boundaries of HopSkipJump, which is also the case of the DeepFool attack as part of AutoAttack. Eventually, AutoAttack proved that it generalizes well with any datasets and models.

Figure 5 compares the performance of targeted and untargeted attacks. Targeted attacks were generated for random targets with no masking at the same settings used for non-targeted attacks. As expected, the success rate of untargeted attacks is higher than in the case of targeted attacks since they are more generalizable and do not aim to mislead the network to a specific class. We believe non-targeted attacks better represent the vulnerability of the model. Generally, white-box attacks have more potential than black-box attacks since they possess information on the dataset and model parameters. Nevertheless, recently developed SquareAttack and HopSkipJump black-box attacks demonstrated results comparable with white-box attacks and even better. In addition, the success of AutoAttack shows that an ensemble of features of several adversarial examples strengthens the applied attack. The performance of the models is summarized in

Table 2. Summary of the applied untargeted attacks and model robustness (e.g., neural network classification accuracy: ✓✓✓✓✓✓ 0–5%; ✓✓✓✓✓ 5–10%; ✓✓✓✓ 10–20%; ✓✓✓ 20–40%; ✓✓ 40–80%; ✓ 80–100%.).

Attack Method	Norm	Adversarial Knowledge	Search Type	Crafting Adversarial Example	Strength of the Untargeted Attack
					SpinalNet	VGG	CCT
FGSM	${\ell }_{inf}$	White-Box	single step gradient-based guided differentiable search	applies the sign function on gradients	✓✓✓✓✓	✓✓✓✓✓	✓
C&W	${\ell }_2$	White-box	iterative gradient-based guided differentiable search	attempts to find a small perturbation $\delta$ while keeping the ${\ell }_2$ distance between x and x′ minimal	✓✓✓✓✓	✓✓✓✓✓	✓✓
	${\ell }_{inf}$	White-box	iterative gradient-based guided differentiable search	unlike ${\ell }_2$, operates on batches	✓✓✓✓✓	✓✓✓✓✓	✓✓✓✓✓
SquareAttack	${\ell }_{inf}$	Black-box	score-based iterative non-guided random search	every iteration selects square-shaped updates so that perturbation is located at the boundary of the feasible set	✓✓✓✓✓✓	✓✓✓✓✓✓	✓✓✓✓
AutoPGD	n/a	White-box	iterative gradient-based guided differentiable search	size-free step with exploration (search for good initial point) and exploitation (knowledge accumulation) phases	n/a	n/a	n/a
DeepFool	n/a	White-box	iterative guided differentiable search	iteratively searches for adversarial example at the decision boundary between classes	n/a	n/a	n/a
AutoAttack	${\ell }_{inf}$	White-box	iterative without any hyperparameter tuning	ensemble of parameter-free attacks	✓✓✓✓✓✓	✓✓✓✓✓✓	✓✓✓✓✓✓
PixelAttack	${\ell }_0$	Black-box	iterative differential evolution	only one pixel is changed	✓✓✓✓	✓✓✓✓	✓
HopSkipJump	${\ell }_2$	Black-box	iterative gradient-based binary search	minimizes distance to the target image while staying at the adversarial side of the boundary	✓✓✓✓✓	✓✓✓✓✓	✓✓✓✓✓✓

, where the strength of the attack increases with the number of check marks “✓” (between min = 1 and max = 6).

6.2. Transferability

Transferable adversarial attacks show the similar features different models share with each other. Regarding behavior, SpinalNet and VGG have similar transferability in both directions (more details in Appendix A.2), which can be explained by the same architecture at early layers. Good transferability was observed in the cases of AutoAttack, the FGSM, and SquareAttack. In the cases of the FGSM and the SquareAttack, accuracy dropped to values ranging from around 8% to around 14.8%, respectively. The AutoAttack could deceive the models and result in values similar to those obtained during the robustness evaluation ranging between 0.7 and 2.5%.

In the case of CCT-7/3 × 1, transferability was not bidirectional, meaning that some examples were transferable from one model to another but not the other way around. In the case of PixelAttack, the adversarial examples were not transferable either way between VGG and CCT or between SpinalNet and CCT. This introduces the simplest form of perturbations that are not enough to mislead the neural architectures such as CNN and Neural Transformer. In the cases of C&W ${\ell }_2$ and HopSkipJump, the adversarial examples were somewhat transferable from CCT to both SpinalNet and VGG and even more in the case of C&W ${\ell }_{inf}$ but not the other way around. In the case of AutoAttack, however, the adversarial examples crafted using the CCT-7/3 × 1 were partially transferable to SpinalNet and VGG and almost fully transferable the other way around. The SquareAttack examples, on the other hand, were partially transferable both ways. Finally, an interesting result was observed in the case of the FGSM. As mentioned earlier, the CCT-7/3 × 1 demonstrated the best robustness result against the FGSM attack. However, when examples crafted using the said attack were transferred from surrogate CNN-based models, the CCT-7/3 × 1 model appeared to be fooled, and the accuracy dropped to between 10 and 13% for all tested cases. The difference in the architectures of CNN and transformer-based neural networks can explain such behavior. But here, we should remember that CCT also has convolutional layers. For instance, CNNs are known for their shift-invariance with input layers designed to extract simple features, and the layers closer to output typically extract high-frequency features. On the contrary, shift-equivariant attention blocks of transformers are responsible for lower-order features [45]. In addition, neural transformers are powerful tools in processing a large volume of spatiotemporal data [46]. Therefore, adversarial perturbations designed for certain architecture have different levels of transferability. If models share similar capturing features, attacks have low transferability.

The results show that despite high effectiveness on certain models independently, some of the attacks have little or no transferability to other models, as in the case of AutoAttack. The potential direction in strengthening attacks and their transferability is the generation of adversarial examples against multiple models at once, as in the case of the Self-Attention Gradient Attack (SAGA) [17]. Another way to enhance transferability is the introduction of the Intermediate Level Attack (ILA) [47]. Overall, similar architectures such as VGG and SpinalNet show similar performance in robustness and transferability. Additionally, in most cases, the transferability is low between SpinalNet and VGG models and not always bidirectional between SpinalNet/VGG and CCT due to differences in capturing input features. This showed that the combination of the tested neural network models that react differently at low- and high-frequency features of data could increase the robustness of the developed system against crafted adversarial examples. However, the order and way the models would be cascaded depend on the type of attack used and perturbation added and could cause a serious security breach. Crafting new attacks that could deceive all these neural architectures will be considered in future work.

7. Conclusions

In this work, the evaluation of robustness and transferability of emerging image classifiers such as SpinalNet and CCT-7 were compared against the well-studied VGG. The study has shown that all models are susceptible to attacks, but the non-targeted attacks have a higher success rate. In addition, due to the same architecture at early layers, VGG and the SpinalNet architecture exhibit similar performance against targeted and untargeted attacks. Applying the same evasion attacks demonstrated that the convolution-based transformer model CCT-7/3 × 1 has superior robustness against newly generated and transferable attacks developed based on the CNN architecture. All models are generally more susceptible to ensemble attacks such as SquareAttack and AutoAttack. The evaluation study of cascaded neural models is planned as future work.