Improving Flat Maxima with Natural Gradient for Better Adversarial Transferability

Abstract

Deep neural networks are vulnerable and susceptible to adversarial examples, which can induce erroneous predictions by injecting imperceptible perturbations. Transferability is a crucial property of adversarial examples, enabling effective attacks under black-box settings. Adversarial examples at flat maxima-those around which the loss peaks and grows slowly-have been demonstrated to exhibit higher transferability. Existing methods to achieve flat maxima rely on the gradient of the worst-case loss within the small neighborhood around the adversarial point. However, the neighborhood structure is typically defined as a Euclidean space, which neglects the input space’s information geometry, leading to suboptimal results. In this work, we build upon the idea of flat maxima but extend the neighborhood structure from Euclidean space to the manifold measured by the Fisher metric, which takes into account the information geometry of the data space. In the non-Euclidean case, we search for the worst-case point in the direction of the natural gradient with respect to adversarial examples. The natural gradient adjusts the original gradient using the Fisher information matrix, giving the steepest direction in the manifold. Furthermore, to reduce the computational cost of calculating the Fisher information matrix, we introduce a diagonal approximation of the matrix and propose an empirical Fisher method under the model ensemble setting. Experimental results demonstrate that our proposed manifold extensions significantly enhance attack success rates against both normally and adversarially trained models. In particular, compared to methods relying on the Euclidean metric, our approach demonstrates more efficient performance.

1. Introduction

Numerous works [1,2,3] have demonstrated the vulnerability of Deep Neural Networks (DNNs) to adversarial examples, which are crafted by imposing human-imperceptible perturbations to natural examples, but can cause DNNs to produce incorrect predictions. Transferability is a central property of adversarial examples [4,5], which refers to the ability of adversarial examples generated against surrogate models to mislead other models. This property allows attacks to be performed under black-box settings, which can be exploited to evaluate the robustness of different models. Therefore, methods for generating high-transferable adversarial examples, known as transfer-based attacks, have gained increasing attention.

From the perspectives of optimization and generalization, many works have been proposed to improve the transferability of adversarial examples. Gradient optimization attacks [4,5,6,7,8,9,10,11,12,13] improve transferability by designing advanced gradient calculation algorithms to avoid falling into poor local maxima. Input transformation attacks [5,14,15,16,17,18,19] apply data augmentation strategies to inputs to avoid overfitting the surrogate model. Model ensemble attacks [4,20,21,22] generate adversarial examples for multiple surrogate models to reduce the generalization error [23], which is similar to training more data to improve model generalization. These methods treat the process of generating adversarial examples on the surrogate model as analogous to standard neural network training and leverage model generalization principles to guide the improvement of the transferability.

Inspired by the observation that flat local minima tend to result in better model generalization than their sharp counterparts [24,25,26,27,28,29], several studies demonstrate that adversarial examples at flat maxima tend to exhibit better transferability [8,9,22]. The loss landscape is formally defined as the geometry of the loss function with respect to the input. A flat maximum is characterized as an entire neighborhood having both high loss and low curvature in input space. In the context of model generalization, Sharpness-Aware Minimization (SAM) [24] is a seminal method for finding flat minima by minimizing the worst-case point within the neighborhood around the model instead of minimizing the original loss, where the worst-case point refers to a local loss maximum. Penalizing Gradient Norm (PGN) [27] is another method that can help the optimizer find flat minima by simultaneously minimizing the loss function and the gradient norm of the loss function. Existing works [8,22,30] have demonstrated that the generated adversarial examples exhibit higher transferability when gradient-based attacks are combined with SAM and PGN (denoted as SAM and PGN without ambiguity in the following). In the context of adversarial attack, SAM finds flat maxima by maximizing the worst-case point within the neighborhood around the input, where the worst-case point refers to a local loss minimum. PGN maximizes the loss function and minimizes the gradient norm of the loss function. We analyze the optimization objectives of SAM and PGN, and the intrinsic relationships between them when applied in adversarial attacks, from which we draw the corollary that the gradient of PGN can be expressed as a linear combination of the gradient of SAM with the gradient of the original loss function. This also implies that both SAM and PGN rely on the worst-case point within the neighborhood.

Despite their empirical success, these approaches implicitly assume that the neighborhood structure of the input space is Euclidean and that the standard gradient provides the steepest direction within this space. However, this assumption overlooks an important fact that DNNSs map inputs to discrete probability distributions over labels, and the input can be interpreted as a pullback mapping from the output space. The input space is rendered as a manifold with a non-linear Riemannian metric [31,32,33,34]. Under this perspective, following the standard gradients may fail to accurately find the worst-case point within the neighborhood around the input. The final found flat maxima would be suboptimal results.

In this paper, we follow the idea of flat maxima, but address the issue of the existing flat maxima attack approaches by redefining the neighborhood around adversarial examples as a manifold. Specifically, we consider the neighborhood boundary to be constrained by the KL divergence instead of the Euclidean metric, which geometrically conforms to the intrinsic property of the statistical manifold. This change in metrics suggests searching in the direction of the natural gradient for the worst-case point. The natural gradient adjusts the original gradient using the Fisher information matrix, which gives the steepest descent direction in the manifold with the Fisher metric. Based on the above analysis, it can be reasonable to assume that using natural gradients will find a more accurate worst-case. Therefore, optimizing with the gradient of this worst-case drives adversarial examples toward flatter and more stable high-loss regions. For the Fisher information matrix of adversarial examples, we approximate it as the diagonal matrix and use the average gradient of the model ensemble to estimate. The SAM with manifold neighborhood, termed NG-SAM is implemented under the model ensemble setting. Combining with original loss and adjusting the balancing coefficients, PGN with manifold neighborhood, termed NG-PGN can be flexibly implemented. We show in Section 4.8 that NG-PGN outperforms NG-SAM, and we provide a detailed analysis of this observation in Section 4.10. Concisely, the NG-SAM strategy primarily guides adversarial examples toward flat regions of the loss landscape, without significantly increasing the loss value. NG-PGN balances the loss value with the flatness of the loss surface, achieving better attack performance. Therefore, NG-PGN is adopted as the default method in subsequent comparisons with state-of-the-art approaches. Furthermore, similar to other ensemble attacks, both NG-SAM and NG-PGN can be integrated with gradient optimization and input transformation methods, further boosting the adversarial transferability.

The contributions of the proposed work can be summarized as follows:

• We reveal the intrinsic relationship between the attack objectives of SAM and PGN in the context of adversarial attacks, demonstrating that the gradient of PGN can be expressed as a linear combination of the SAM gradient and the original loss gradient. This insight enables the extension of the optimization of adversarial example regions in SAM to PGN.
• We address the issues of the existing flat maxima attack approaches (SAM and PGN) by considering the information geometry of the input space. Specifically, we redefine the neighborhood structure of adversarial examples from the Euclidean space to the manifold defined by the Fisher metric. To the best of our knowledge, this aspect has not been previously studied.
• An approximation of the Fisher information metric is proposed under the model ensemble setting, resulting in the same computational complexity of the proposd attack method as SAM and PGN, $O\left(2n\right)$, where n represents the image size. This approximation achieves consistent performance as full Fisher matrix without incurring additional computational cost.

Extensive experiments across ImageNet-compatible [35], CIFAR-10, and CIFAR-100 datasets demonstrate that NG-PGN significantly outperforms state-of-the-art attacks on diverse target models, including convolutional neural networks, vision transformers, adversarially trained models (e.g., Inc-v$3_{adv}$ [36]), and defense mechanisms. In particular, NG-PGN achieves the highest attack success rates of 74.8% on Swin-Base [37] and 87.3% on ResNet-152 [38], surpassing baseline methods by up to 30%. Furthermore, we quantitatively demonstrate that our manifold extension based on the natural gradient yields flatter loss regions, as evidenced by a 25% reduction in the Hessian trace compared to standard PGN, indicating that our method identifies a smoother and flatter loss region.

The rest of the paper is organized and detailed below. Section 2 details the related research work in transfer-based attacks and fisher information. Section 3 describes the intrinsic relationships between SAM and PGN within the context of adversarial attacks and implementation of manifold extension. Section 4 gives a detailed overview of the experimental results and analysis. In the last section, we conclude the paper and discuss future work.

2. Related Work

2.1. Transfer-Based Attack

(1) Gradient optimization attacks. These methods are predominantly based on utilizing the gradient direction of a surrogate model to optimize objective functions. The most typical technique is the Fast Gradient Sign Method [2]. The current work improves adversarial transferability by preventing adversarial examples from converging to poor local optima. Dong et al. [4] propose a momentum iterative fast gradient sign method (MI-FGSM) to improve the vanilla iterative FGSM methods by integrating the momentum term in the input gradient. Lin et al. [5] propose NI-FGSM (Nesterov Iterative Fast Gradient Sign Method), which leverages the looking-ahead property of Nesterov accelerated gradient to help escape from poor local optima. Wang et al. [6] present Variance tuning iterative method (VMI-FGSM), which follows the momentum iterative concept and incorporates gradient variance computed in the neighborhood of the previous data point to adjust the gradient direction at each iteration. Wang et al. [7] propose Enhanced Momentum Iterative method (EMI-FGSM), which accumulates the gradient of several data points in the direction of the previous gradient to enhance the current gradient. While these methods guide adversarial examples toward more favorable local maxima, they do not provide a precise or formal definition of what constitutes an optimal local maxima in the context of adversarial attacks.

(2) Input transformation attacks. In addition to modifying the gradient, input transformation methods enhance the transferability of adversarial examples by applying image transformation techniques to the input image. Xie et al. [14] propose the Diverse Input Method (DIM), which is the first work to suggest applying differentiable transformations to the clean input. Dong et al. [15] present the Translation Invariance Method (TIM), which aims to generate adversarial perturbations that remain effective not only for the original image but also for its pixel-shifted versions. In a similar motivation to TIM, Liu et al. [39] propose the Scale Invariant Method (SIM), which generates adversarial perturbations that remain effective across various downscaled versions of the input. Wang et al. [16] introduce the Admix method, which mixes up the input with images from other categories while maintaining its original labels. Long et al. [40] propose the Spectrum simulation attack (SSA), which transforms the input image into the frequency domain and performs the attack in that space. Wang et al. [41] present Block Shuffle & Rotation method (BSR), which divides he input image into multiple blocks, then randomly shuffles and rotates these blocks to generate diverse transformed images for gradient computation. These methods can be combined with gradient optimization attacks to further improve the transferability. However, these methods rely on the gradient accumulation of multiple transformations, which significantly increases the computational cost.

(3) Model ensemble attacks. These approaches are based on the hypothesis that if an example remains adversarial for multiple models, then it is more likely to transfer to other models. The basic idea of ensemble attacks is to utilize the output of multiple models to obtain an average model loss [42] or logits [4] and then apply gradient optimization attacks. Xiong et al. [20] propose the Stochastic Variance Reduced Ensemble (SVRE), which aims to reduce the gradient variance across multiple models through an additional iterative procedure computing an unbiased estimate of the ensemble gradient. In practice, the number of surrogate models is often limited, necessitating multiple sampling from the model ensemble to approach the generalization upper bound, which leads to substantial computational costs. Furthermore, only focusing on the variance does not necessarily lead to better generalization [43]. Chen et al. [21] focus on capturing the intrinsic characteristics of transferability and propose the Adaptive Model Ensemble Attack (AdaEA). This method adaptively regulates the fusion of each model’s output by monitoring the discrepancy ratio of their contributions to the adversarial objective, thereby enhancing attack effectiveness through dynamic ensemble weighting. Li et al. [44] advocate attacking a Bayesian surrogate model for achieving desirable transferability. However, such self-ensembled surrogate models typically exhibit lower performance compared to standard surrogate models, resulting in limited performance. Tang et al. [45] propose SMER, which introduces ensemble reweighing to refine ensemble weights by maximizing attack loss based on reinforcement learning. In contrast to the gradient optimization attacks and input transformation attacks, the crucial characteristics of ensemble attacks have not been fully exploited.

2.2. Flat Loss Surface and Transferability

Recently, learning algorithms motivated by the sharpness of the loss surface as an effective measure of the generalization gap have demonstrated state-of-the-art performance [46,47,48]. In particular, Jiang et al. [49] conducted a comprehensive study of 40 complexity measures and found that sharpness-based measures exhibit the strongest correlation with generalization performance. The SAM method [24] is an effective algorithm for obtaining a flatter loss landscape. It is formulated as a min-max optimization problem, where the objective is to simultaneously minimize both the loss value and the sharpness of the loss landscape. The PGN method [27] demonstrated that adding a gradient norm of the loss function can help the optimizer find flat local minima. Similarly, empirical and theoretical studies [8,9,22,30] suggest that transferability is also closely correlated with the flatness of the loss landscape at the adversarial examples. Qin et al. [9] propose improving the transferability of adversarial examples within the SAM-like min-max bi-level optimization framework. They seek to find perturbations that can maximize the loss of the perturbed data point updated by adding a reverse perturbation in the inner-minimization process. Chen et al. [22] propose the Common Weakness Attack (CWA) method, which introduces a modified SAM algorithm that optimizes landscape flatness within the infinity-norm space, enhancing transferability in ensemble attacks. Ge et al. [8] extend the PGN strategy to the adversarial attacks by penalizing the gradient norm of adversarial examples, thereby guiding the adversarial examples toward flat maxima.

These attacks validate the observation that adversarial examples located in flat local regions of the loss surface tend to exhibit improved transferability. However, we find that these methods rely on the gradient of the worst-case loss within a small neighborhood around the adversarial point. A significant drawback of these approaches is their assumption that the neighborhood around adversarial examples is denoted as a Euclidean space; the worst-case is found in the direction of the gradient with respect to the input. Since the model outputs are defined over a discrete probability distribution (e.g., class probabilities), the input can be interpreted as a pullback mapping from the output space, and the input space is rendered as a manifold with a non-linear Riemannian metric. This neglect of the information geometry of the input space leads to suboptimal results.

3. Methodology

In this section, we first introduce preliminaries and then review the objectives of SAM and PGN in adversarial settings. We demonstrate that PGN’s gradient is a linear combination of SAM’s gradient and the original loss gradient. Building on this, we redefine the neighborhood structure of adversarial examples from the Euclidean space to the manifold and propose NG-PGN, which addresses the issues of the existing flat maxima attack approaches.

3.1. Preliminaries

We let ${\mathcal{F}}_{\mathit{\Theta }}:=\left\{f_{\theta }\right\}$ denote a set of deep models, where each model $f_{\theta }$ with parameter $\theta$ maps input variables X to label variables Y and $\mathit{\Theta }$ denotes a discrete ensemble of model parameters. Given an input image $x\in X$ with its corresponding true label $y\in Y$, let ${\mathcal{B}}_{ϵ}\left(x\right)=\{\widehat{x}:{∥\widehat{x}-x∥}_p\le ϵ\}$ be an $ϵ$-ball around x, where $ϵ>0$ is a predefined perturbation magnitude, and ${\parallel ·\parallel }_p$ denotes the $L_p$-norm (we study the $L_{\infty }$-norm). By simultaneously attacking multiple surrogate models, ensemble attacks reduce the upper bound on the generalization error in empirical risk minimization and generate adversarial examples with higher transferability [23]. The attack objective is to maximize the loss over the average of the logits ensemble, which can be formulated as the following constrained optimization problem:

$$\underset{x^{\prime }\in {\mathcal{B}}_{ϵ}\left(x\right)}{max}\mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)=\underset{x^{\prime }\in {\mathcal{B}}_{ϵ}\left(x\right)}{max}{\mathcal{L}}_{ce}\left({\mathbb{E}}_{f_{\theta }\in {\mathcal{F}}_{\mathit{\Theta }}}\left[f_{\theta }\left(x^{\prime }\right)\right],y\right)$$

(1)

where $\mathcal{L}(·)$ represents the standard ensemble loss, $f_{\theta }\left(x^{\prime }\right)$ represents the logits output of model $f_{\theta }$ for the adversarial example $x^{\prime }$, and ${\mathcal{L}}_{ce}(·)$ is the loss function (e.g., cross-entropy loss).

Previous works [4,20,21,22] achieve the attack objective by using advanced gradient optimization attacks. For example, the momentum iterative update [4] of adversarial examples is expressed as follows:

$$x_{t+1}^{\prime }={\prod }_{{\mathcal{B}}_{ϵ}\left(x\right)}\left[x_t^{\prime }+\alpha ·\mathrm{sign}\left({\mathcal{M}}_{t+1}\right)\right],{\mathcal{M}}_{t+1}=\mu {\mathcal{M}}_t+{\displaystyle \frac{{\nabla }_{x_t^{\prime }}\mathcal{L}\left(y,x_t^{\prime };\mathit{\Theta }\right)}{\parallel {\nabla }_{x_t^{\prime }}\mathcal{L}\left(y,x_t^{\prime };\mathit{\Theta }\right){\parallel }_1}}$$

(2)

where $\mu$ is the decay factor, $\mathcal{M}$ represents the accumulation of gradients, t is the current number of iteration, $\alpha$ is the step size, and ${\prod }_{{\mathcal{B}}_{ϵ}\left(x\right)}$ constraints $x^{\prime }$ in the $ϵ$-ball around x.

3.2. Finding Flat Maxima Strategies

Recent empirical and theoretical studies [8,9,22,30,50,51] suggest that transferability is closely correlated with the flatness of the loss landscape at adversarial examples. In general, adversarial examples at flat maxima tend to exhibit better transferability. The SAM [22,24] and PGN methods [8,27] are two efficient approaches to achieve a flatter landscape. We begin by analyzing the attack objectives of standard SAM and PGN as follows:

SAM [24] modifies the loss function during each iteration of model training, where the new loss at the current iteration computes an approximate worst-case loss within its neighborhood. The optimization process of adversarial examples is analogous to the model training process [5,8,20]. Therefore, we can directly apply the SAM strategy [22] in ensemble attacks to improve transferability. The attack objective is modified to maximize the following worst-case objective instead of the standard ensemble loss. More formally, considering an r-ball neighborhood, the attack objective of SAM is defined as:

$$\underset{x^{\prime }\in {\mathcal{B}}_{ϵ}\left(x\right)}{max}{\mathcal{L}}_{SAM}\left(y,x^{\prime };\mathit{\Theta }\right)=\underset{x^{\prime }\in {\mathcal{B}}_{ϵ}\left(x\right)}{max}\underset{{∥\gamma ∥}_2^2\le r}{min}\mathcal{L}\left(y,x^{\prime }-\gamma ;\mathit{\Theta }\right)$$

(3)

where $\gamma$ is the perturbation vector on adversarial examples. $\gamma$ can be approximately solved using the closed-form of first-order Taylor expansion of the inner minimization. In the Euclidean space, the solution of $\gamma$ becomes the gradient norm of the standard loss function,

$$\gamma =r·{\nabla }_{x_t^{\prime }}\mathcal{L}\left(y,x_t^{\prime };\mathit{\Theta }\right){\parallel {\nabla }_{x_t^{\prime }}\mathcal{L}\left(y,x_t^{\prime };\mathit{\Theta }\right)\parallel }_2^{-1}.$$

(4)

The objective of SAM can also be accomplished iteratively using gradient optimization methods (e.g., MI-FGSM). Computationally, SAM incurs twice the cost of gradient computation at each iteration: one for computing $\gamma$ and the other for updating the adversarial examples by accumulating the gradient at $x^{\prime }-\gamma$.

PGN [27] promotes the loss function to have a small Lipschitz constant locally, thereby flattening the loss landscape. Intuitively, the objective of PGN can be formulated as introducing a penalty term on the gradient norm into the standard loss function $\mathcal{L}$, as follows.

$$\underset{x^{\prime }\in {\mathcal{B}}_{ϵ}\left(x\right)}{max}{\mathcal{L}}_{PGN}\left(y,x^{\prime };\mathit{\Theta }\right)=\mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)-{\parallel {\nabla }_{x^{\prime }}\mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)\parallel }_2$$

(5)

where $\lambda$ is the penalty coefficient, s.t. $\lambda \ge 0$. However, the gradient of ${\mathcal{L}}_{PGN}$ involves the Hessian matrix, which is infeasible to compute directly. The finite difference method is used to approximate the second-order Hessian matrix using the first-order gradient. Through analysis of the approximate solution of Equation (5), we derive the following corollary:

Corollary 1.

The gradient of ${\mathcal{L}}_{PGN}$ can be expressed as a linear combination of the gradient of ${\mathcal{L}}_{SAM}$ with the gradient of the standard ensemble loss $\mathcal{L}$:

$$\nabla {\mathcal{L}}_{PGN}\left(y,x^{\prime };\mathit{\Theta }\right)\approx \left(1-\delta \right)\nabla \mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)+\delta \nabla {\mathcal{L}}_{SAM}\left(y,x^{\prime };\mathit{\Theta }\right)$$

(6)

where $0\le x^{\prime }\le 1$ is a balancing coefficient.

Proof. 

The gradient of Equation (6) can be expressed as follows:

$$\begin{array}{cc}\hfill \nabla {\mathcal{L}}_{PGN}\left(y,x^{\prime };\mathit{\Theta }\right)& \approx \nabla \mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)-\lambda \nabla {∥\nabla \mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)∥}_2\hfill \\ \hfill & \approx \nabla \mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)-\lambda {\nabla }^2\mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right){\displaystyle \frac{\nabla \mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)}{{∥\nabla \mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)∥}_2}}\hfill \end{array}$$

(7)

Using the Finite Difference Method to approximate the Hessian matrix ${\nabla }^2\mathcal{L}\left(x^{\prime },y;\mathit{\Theta }\right)$, we have

$$-{\nabla }^2\mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right){\displaystyle \frac{\nabla \mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)}{{∥\nabla \mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)∥}_2}}\approx {\displaystyle \frac{\nabla \mathcal{L}\left(y,x^{\prime }-\gamma ;\mathit{\Theta }\right)-\nabla \mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)}{r}}$$

(8)

Based on Equation (3), we obtain

$$-{\nabla }^2\mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right){\displaystyle \frac{\nabla \mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)}{{∥\nabla \mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)∥}_2}}\approx {\displaystyle \frac{\nabla {\mathcal{L}}_{SAM}\left(y,x^{\prime };\mathit{\Theta }\right)-\nabla \mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)}{r}}$$

(9)

where $\gamma =r·{\displaystyle \frac{\nabla \mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)}{{∥\nabla \mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)∥}_2}}$. Combining Equations (7) and (8),

$$\nabla {\mathcal{L}}_{PGN}\left(y,x^{\prime };\mathit{\Theta }\right)\approx \left(1-{\displaystyle \frac{\lambda }{r}}\right)\nabla \mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)+{\displaystyle \frac{\lambda }{r}}\nabla {\mathcal{L}}_{SAM}\left(y,x^{\prime };\mathit{\Theta }\right)$$

(10)

Setting $\delta ={\displaystyle \frac{\lambda }{r}}$ as the balancing coefficient, we thereby complete the Corollary 1’s proof. Figure 1 illustrates the iterative update process of the three aforementioned attack objectives.    □

3.3. Manifold Extensions Using Natural Gradient

The above theoretical analysis shows that existing flat maxima strategies use the gradient of the standard loss function to find the worst-case loss within neighborhoods around adversarial examples, which neglect the intrinsic geometry of the input space. Deep models inherently map inputs to discrete probability distributions, rendering the input space a statistical manifold endowed with nonlinear Riemannian geometry [31,32,33,34]. The Euclidean metric fails to capture the local curvature characteristics of such manifolds, causing gradient directions to deviate from the true steepest descent paths and limiting adversarial examples’ generalization.

To address this problem, we redefine the neighborhood of input as a manifold equipped with a non-linear Riemannian metric. In this case, the natural gradient gives the steepest-changing direction. We can compute the Kullback–Leibler (KL) divergence between the model probability outputs $p\left(y|x;\theta \right)$ and $p\left(y|x^{\prime };\theta \right)$ to quantify the distance between x and any $x^{\prime }$. For notational distinction, we redefine $\gamma$ under the non-Euclidean metric as ${\gamma }_m$. Therefore, the objective of the inner minimization in Equation (3) is optimized as:

$$\begin{array}{cc}\hfill & min\mathcal{L}\left(y,x^{\prime }-{\gamma }_m;\mathit{\Theta }\right),\hfill \\ \hfill & \mathrm{s}.\mathrm{t}.\mathrm{KL}\left(p\left(y|x^{\prime }-{\gamma }_m;\mathit{\Theta }\right)\left|\right|p\left(y|x^{\prime };\mathit{\Theta }\right)\right)\le r\hfill \end{array}$$

(11)

where $p\left(y|·;\mathit{\Theta }\right)$ represent ${\mathbb{E}}_{f_{\theta }\in {\mathcal{F}}_{\mathit{\Theta }}}\left[p\left(y|·;\theta \right)\right]$ in the model ensemble setting.

Fisher Metric. Since the first-order gradient of the KL divergence with respect to $\gamma$ vanishes, the second derivative corresponds to the Fisher information matrix, leading to:

$$\mathrm{KL}\left(p\left(y|x^{\prime }-{\gamma }_m;\mathit{\Theta }\right)\left|\right|p\left(y|x^{\prime };\mathit{\Theta }\right)\right)\approx {\displaystyle \frac{1}{2}}{\gamma }_m^{T}F\left(x^{\prime }\right){\gamma }_m$$

(12)

where $F\left(x^{\prime }\right)$ is the Fisher Information Matrix associated with $x^{\prime }$ which contains all the information about the curvature in the standard loss function. Therefore, Equation (11) is modified to:

$$\begin{array}{cc}\hfill & min\mathcal{L}\left(y,x^{\prime }-{\gamma }_m;\mathit{\Theta }\right),\hfill \\ \hfill & \mathrm{s}.\mathrm{t}.{\displaystyle \frac{1}{2}}{\gamma }_m^{T}F\left(x^{\prime }\right){\gamma }_m\le r\hfill \end{array}$$

(13)

Next, this objective is transformed into a unconstrained optimization problem by the Lagrange multiplier method:

$$\begin{array}{cc}\hfill {\gamma }_m& =\underset{{\gamma }_m}{\arg min}\mathcal{L}\left(y,x^{\prime }-{\gamma }_m;\mathit{\Theta }\right)+{\lambda }_m\left({\displaystyle \frac{1}{2}}{\gamma }_m^{T}F\left(x^{\prime }\right){\gamma }_m-r\right)\hfill \\ \hfill & \approx \underset{{\gamma }_m}{\arg min}\mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)+{\nabla }_{x^{\prime }}\mathcal{L}{\left(y,x^{\prime };\mathit{\Theta }\right)}^T{\gamma }_m+{\displaystyle \frac{{\lambda }_m}{2}}{\gamma }_m^{T}F\left(x^{\prime }\right){\gamma }_m-{\lambda }_{m}r\hfill \end{array}$$

(14)

where ${\lambda }_m$ is the Lagrangian coefficient. We set the partial derivative concerning ${\gamma }_m$ to 0 and have:

$$\begin{array}{cc}\hfill & {\nabla }_{x^{\prime }}\mathcal{L}{\left(y,x^{\prime };\mathit{\Theta }\right)}^T+{\displaystyle \frac{{\lambda }_m}{2}}F\left(x^{\prime }\right){\gamma }_m=0\hfill \\ \hfill \Rightarrow & {\gamma }_m=-{\displaystyle \frac{2}{{\lambda }_m}}F{\left(x^{\prime }\right)}^{-1}{\nabla }_{x^{\prime }}\mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)\hfill \end{array}$$

(15)

where $F{\left(x^{\prime }\right)}^{-1}{\nabla }_{x^{\prime }}\mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)$ represents the Natural Gradient, adjusting the gradient ${\nabla }_{x^{\prime }}\mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)$ according to the manifold curvature. To meet the neighborhood size r (As $r\to 0$, KL divergence is approximately symmetric) while maintaining suitability for adversarial attacks, ${\gamma }_m$ is defined as the norm of the natural gradient:

$${\gamma }_m=r·{\displaystyle \frac{F{\left(x^{\prime }\right)}^{-1}{\nabla }_{x^{\prime }}\mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)}{\parallel F{\left(x^{\prime }\right)}^{-1}{\nabla }_{x^{\prime }}\mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right){\parallel }_2^{-1}}}$$

(16)

3.4. Approximating Fisher Information Matrix

Following the above analysis, the key to calculating the natural gradient is obtaining the Fisher Information Matrix of the adversarial examples. To review, for model parameters $\theta$, the Fisher information matrix is defined by:   

$$F\left(\theta \right)={\mathbb{E}}_x{\mathbb{E}}_y\left[{\nabla }_{\theta }logp\left(y,x;\theta \right){\nabla }_{\theta }logp{\left(y,x;\theta \right)}^T\right]$$

(17)

In the concept of adversarial attacks, adversarial examples can be viewed as parameters to be optimized and the surrogate models as inputs. Therefore, in the model ensemble setting, the Fisher information matrix $F\left(x^{\prime }\right)$ can be approximated by:

$$F\left(x^{\prime }\right)={\mathbb{E}}_{\theta }{\mathbb{E}}_y\left[{\nabla }_{x^{\prime }}logp\left(y,x^{\prime };\theta \right){\nabla }_{x^{\prime }}logp{\left(y,x;\theta \right)}^T\right]$$

(18)

However, estimating such a Fisher information matrix by averaging the gradients multiple surrogate models for all classes is computationally unacceptable, especially when dealing with large-scale images (i.e., $F\left(x^{\prime }\right)\in {\mathbb{R}}^{|x^{\prime }|\times |x^{\prime }|}$ with $|x^{\prime }|$ denoting the size of input image). To save the computational effort, following previous works [31,32], we adopt a diagonal approximation, i.e., $F\left(x^{\prime }\right)\in {\mathbb{R}}^{|x^{\prime }|}$:

$$F\left(x^{\prime }\right)={\mathbb{E}}_{\theta }{\mathbb{E}}_y\left[{\nabla }_{x^{\prime }}logp{\left(y,x^{\prime };\theta \right)}^2\right]$$

(19)

Furthermore, since the objective of adversarial attacks is similar to that in supervised learning, the expectation ${\mathbb{E}}_y$ over label variables can be achieved by using only the true label. Consequently, we introduce the Empirical Fisher method in the model ensemble setting:

$$F\left(x^{\prime }\right)={\mathbb{E}}_{\theta }\left[{\nabla }_{x^{\prime }}logp{\left(y,x^{\prime };\theta \right)}^2\right]$$

(20)

Taking the element-wise reciprocal, we can obtain the inverse of $F\left(x^{\prime }\right)$. Figure 2 illustrates the calculation process of the Empirical Fisher. The details of calculating the natural gradient are summarized in Algorithm 1. Our empirical results (Section 4.6) demonstrate that employing a diagonal approximation yields performance comparable to the standard full-matrix version while significantly reducing computational overhead.

In the model ensemble setting, we finally approximate the Fisher information matrix and use the direction of natural gradient ${\gamma }_m$ to find the worst-case point for adversarial examples. Therefore, the manifold extension of SAM, called NG-SAM, can be expressed as follows,

$$\begin{array}{cc}\hfill & {\mathcal{L}}_{NG-SAM}\left(y,x^{\prime };\mathit{\Theta }\right)\approx \mathcal{L}\left(y,x^{\prime }-{\gamma }_m;\mathit{\Theta }\right)\hfill \\ \hfill & {\gamma }_m=r·{\displaystyle \frac{{\nabla }_{x^{\prime }}\mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)/{\mathbb{E}}_{\theta }\left[{\nabla }_{x^{\prime }}logp{\left(y,x^{\prime };\theta \right)}^2\right]}{{∥{\nabla }_{x^{\prime }}\mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)/{\mathbb{E}}_{\theta }\left[{\nabla }_{x^{\prime }}logp{\left(y,x^{\prime };\theta \right)}^2\right]∥}_2^{-1}}}\hfill \end{array}$$

(21)

Furthermore, by specifying the balancing coefficients $0<\delta <1$, we propose the manifold extension of PGN, termed NG-PGN. The calculation gradient of NG-PGN can be expressed as follows,

$$\nabla {\mathcal{L}}_{NG-PGN}\left(y,x^{\prime };\mathit{\Theta }\right)\approx \left(1-\delta \right)\nabla \mathcal{L}\left(y,x^{\prime };\mathit{\Theta }\right)+\delta {\mathcal{L}}_{NG-SAM}\left(y,x^{\prime };\mathit{\Theta }\right)$$

(22)

where the gradient is computed analogously to Equation (6) with $x^{\prime }=x^{\prime }-{\gamma }_m$. Notably, our approach considers only the local neighborhood around the adversarial example as the manifold, rather than the entire image space. Additionally, We randomly sample multiple examples and average the gradients of these examples to obtain a more stable gradient. We empirically show in Section 4.8 that NG-SAM performs worse than NG-PGN, and we provide a detailed analysis of this observation in Section 4.10. Therefore, NG-PGN is adopted as the default method in subsequent comparisons with state-of-the-art approaches. The detailed procedure of the NG-PGN attack is presented in Algorithm 2.

Algorithm 1: Calculating Natural Gradient

Input: Surrogate networks ${\mathcal{F}}_{\mathit{\Theta }}$ with parameters ensemble $\mathit{\Theta }$, loss function $\mathcal{L}$;

adversarial example $x^{\prime }$;

Output: The direction under the Fisher metric ${\gamma }_m$.

1   Calculate the gradient of standard ensemble loss using Equation (1) 2   Estimate Fisher Information Matrix using Equation (20) 3   Calculate the norm of natural gradient using Equation (16) 4   return: ${\gamma }_m$.

Algorithm 2: NG-PGN attack method (based on MI-FGSM)

4. Experiment

4.1. Experimental Settings

(1) 

Dataset: Following the protocol established in previous studies [6,7,9,27], we conduct our experiments on 3 widely used datasets, ImageNet-compatible [35], CIFAR-10 and CIFAR-100. For the ImageNet-compatible dataset, it is comprised of 1000 images with the size of 299 × 299 × 3. For both CIFAR-10 and CIFAR-100, we select 1000 images along with their corresponding true labels from the test set. The image size is 32 × 32 × 3.

(2) 

Target models: To validate the effectiveness of our methods, we test attack performance in comprehensive models. For the black-box attacks task on the ImageNet-compatible dataset, we select five normally trained models from both Convolutional Neural Networks (CNNs) and Vision Transformers (ViTs): ResNet-152 (Res-152) [38], DenseNet-121 (Dense-121) [52], ViT-Base (ViT-B) [53], Swin-Base (Swin-B) [37], and Deit-Base (Deit-B) [54], all are pretrained and available in Timm [55]. We also consider adversarially trained models, including Inc-v$3_{adv}$, Inc-v$3_{ens3}$, Inc-v$3_{ens4}$, and Inc-Res-v$2_{ens}$ [36]. Additionally, we evaluate various defense methods, such as HGD [56], RS [57], NRP [58], and Diffpure [59], which have demonstrated robustness against black-box attacks. For adversarial attacks on the CIFAR-10 and CIFAR-100, we select normally trained models, including Inc-v3 [60], MobileNet (Mobile) [61], and Densenet [52] as black-box target models.

(3) 

Baselines: Since the Empirical Fisher approximation is implemented in the model ensemble setting, we compare the proposed NG-PGN with state-of-the-art gradient optimization attacks under the model ensemble setting, including MI [4], NI [5], PI [62], VMI [6], VNI [6], EMI [7], RAP [9], and recent model ensemble attacks like SVRE [20], AdaEA [21], CWA [22] and SMER [45]. Additionally, we conduct ablation experiments comparing our method to the original PGN and SAM (both implemented under the Euclidean metric) to verify the effectiveness of our manifold.

(4) 

Hyper-parameters: Following the conventional settings in previous works [4,6,8,9,10,11], we set the maximum perturbation $ϵ$ to $16/255$, the number of iterations $T=10$, the step size $\alpha =ϵ/T$, and the decay factor for MI-FGSM to $1.0$. The neighborhood size r is set to $3·\alpha \approx 0.019$. For the NG-PGN attack, we set the balancing coefficient $\delta =1/2$. For the compared methods, we use the optimal hyper-parameters as reported in their respective papers. All the experiments were implemented using Pytorch 2.1.2 on an Intel(R) Core(TM) i9-14900K and a NVIDIA GeForce RTX 4090 GPU with 24 GB graph memory.

(5) 

Metrics: We use the black-box attack success rates (ASR) as the evaluation metric, which is calculated as the percentage of attacks that successfully cause a model to misclassify or generate incorrect outputs. This metric is pivotal in evaluating the robustness of models to adversarial perturbations.

4.2. Attack Results

We conduct a series of black-box attacks on target models and report the attack success rates (ASR). For the ImageNet-compatible dataset, we first consider surrogate models with a similar architecture, including four normally trained networks: ResNet-101 (Res-101) [38], Inception-v3 (Inc-v3), Inception-v4 (Inc-v4) [60], and Inception-ResNet-v2 (IncRes-v2) [63]. The results are presented in

Table 1. The untargeted black-box attack success rates (%) of various attack methods under the model ensemble setting. The surrogate models include Res-101, Inc-v3, Inc-v4, and IncRes-v2. The target models include normally and adversarially trained models and defense methods. The dataset is ImageNet-compatible. Here, the best results are bold.

Attack	Normally Trained Models					Adversarially Trained Models				Defense Methods
	Res	Dense	ViT-B	Swin-B	Deit-B	Inc-v$3_{\mathit{adv}}$	Inc-v$3_{\mathit{ens}\mathbf{3}}$	Inc-v$3_{\mathit{ens}\mathbf{4}}$	Inc-v$2_{\mathit{ens}}$	HGD	RS	NRP	Diffpure
MI	69.5	75.6	27.1	31.7	31.7	35.5	31.9	31.7	20.4	28.4	31.3	37.4	21.6
NI	76.6	82.9	28.4	31.0	31.9	37.7	31.5	29.1	20.8	24.6	30.6	39.2	26.5
PI	74.9	82.4	44.8	32.0	37.9	48.6	39.5	36.4	24.6	26.2	34.5	40.7	14.1
VMI	81.5	86.9	49.3	53.6	53.3	61.3	65.1	61.3	53.7	55.3	37.1	46.5	31.7
VNI	90.5	93.4	45.9	54.5	52.7	62.4	62.3	58.9	52.7	60.8	39.4	47.9	37.2
EMI	93.9	96.2	49.5	56.6	54.0	62.5	58.3	52.4	40.5	65.2	40.1	48.8	42.9
RAP	91.2	94.6	45.4	53.1	51.7	51.2	35.0	31.3	19.1	70.4	53.4	50.2	41.2
PGN	89.3	93.0	75.5	72.5	76.1	85.5	86.5	85.4	80.7	80.2	64.2	54.9	44.6
SVRE	79.8	85.2	28.5	33.9	30.6	51.1	47.7	55.6	46.3	47.6	40.2	30.5	22.5
AdaEA	78.2	80.6	53.6	61.5	60.3	48.3	55.2	56.2	40.3	45.8	41.6	32.6	21.4
CWA	80.5	80.2	54.7	51.2	52.9	55.0	63.5	58.8	51.7	49.8	46.2	35.9	34.9
SMER	83.2	85.0	84.0	64.7	65.1	60.9	70.2	62.0	44.5	56.3	47.5	42.1	38.7
NG-PGN	90.6	93.6	76.5	74.8	76.2	87.6	88.0	86.9	81.8	85.4	47.1	56.2	48.3

. Notably, for DiffPure, we set the maximum perturbation of all attack methods as $ϵ$ = 4/255 to align with its default parameter settings. Gradient optimization methods (e.g., MI, PI, VMI, EMI) typically achieve attack success rates ranging from 70% to 90% on normally trained CNNs (e.g., ResNet-152, DenseNet-121) and 30–50% on ViTs (e.g., ViT-B, Swin-B, DeiT-B). In general, methods that more effectively optimize gradient information tend to yield higher transferability, thereby achieving greater attack success rates in black-box settings. AdaEA achieves higher 61.5% ASR on Swin-B, demonstrating that employing a gradient adaptation strategy within the ensemble attack framework can indeed enhance performance. Across all target models, the NG-PGN attack outperforms other methods; for instance, MI, SVRE and AdaEA achieve 33.9%, 61.5% and 51.2% ASRs respectively on Swin-B, while our NG-PGN method achieves an impressive success rate of 74.8%. Moreover, when targeting adversarially trained models, the NG-PGN attack method consistently surpasses other model ensemble attacks, achieving an overall improvement of nearly 30% in attack success rates compared to the state-of-the-art methods. These results confirm that our proposed method effectively enhances the transferability of adversarial examples across various target models. We further evaluate black-box attacks against defense methods, with results presented in Table 1 (right). We observe that NG-PGN continues to outperform other model ensemble attacks. These findings further validate the efficacy of incorporating the information geometry of the data space to significantly enhance the transferability of adversarial attacks.

We then compare the attack success rates of adversarial examples generated by attacking a heterogeneous ensemble, including Res-101, Inc-v3, and ViT-B, with image size set to $224\times 224$. The results are presented in

Table 2. The untargeted black-box attack success rates (%) of various attack methods under the model ensemble setting. The surrogate models include Res-101, Inc-v3, and ViT-B. The target models include normally and adversarially trained models. The dataset is ImageNet-compatible. To accommodate the requirements of the ViT model, we resize the input images to 224 × 224 × 3. Here, the best results are bold.

Attack	Normally Trained Models						Adversarially Trained Models
	Res-152	Dense-121	Inc-v4	Swin-B	Deit-B	Avg.	Inc-v$3_{\mathit{adv}}$	Inc-v$3_{\mathit{ens}\mathbf{3}}$	Inc-v$3_{\mathit{ens}\mathbf{4}}$	Inc-v$2_{\mathit{ens}}$	Avg.
MI	57.3	65.0	60.6	41.2	61.2	57.1	54.3	48.4	48.7	38.7	47.5
NI	64.1	72.9	69.1	41.2	59.9	61.4	62.5	54.9	52.6	41.5	52.9
PI	62.5	76.1	72.8	34.7	58.5	60.9	68.3	64.9	60.5	53.5	61.8
VMI	73.3	78.4	79.1	58.2	75.4	72.9	74.6	71.2	69.6	61.5	69.2
VNI	80.8	85.3	83.9	61.6	77.9	77.9	78.6	75.6	73.4	65.8	73.4
EMI	86.0	88.0	86.8	64.6	82.4	81.6	80.9	74.9	73.3	65.5	73.7
RAP	86.0	91.0	89.2	64.0	82.0	82.4	80.1	69.3	66.4	51.8	66.9
PGN	85.5	90.3	91.1	74.3	89.7	86.1	86.1	87.2	86.5	83.1	85.7
SVRE	62.0	68.7	63.9	40.7	54.4	57.9	63.4	55.0	53.8	42.4	53.6
AdaEA	57.9	63.6	59.2	66.7	65.5	58.6	60.6	58.4	56.3	45.8	59.3
CWA	73.9	78.5	66.8	64.9	61.5	61.1	70.5	62.2	63.8	50.8	65.6
SMER	74.3	79.8	72.8	58.1	74.9	71.9	72.6	72.7	72.3	63.8	70.4
NG-PGN	87.3	91.7	92.6	76.8	92.7	88.2	89.7	88.1	87.1	83.3	87.0

. EMI and VMI also perform well, with average rates above 70% for normally trained models and 65% for adversarially trained models. We observe that NG-PGN consistently achieves the highest success rates across all models, significantly outperforming other attacks. For example, NG-PGN achieves the highest 87.3% on Res-152 and 89.7% on Inc-v$3_{adv}$. Its average success rates reach 88.2% for normal trained models and 87.0% for adversarially trained models, which are notably higher than other methods. These results also demonstrate the applicability of our Fisher Information Matrix approximation method to various model structures.

To further validate the effectiveness of our NG-PGN method across different datasets, we conduct experiments on the CIFAR-10 and CIFAR-100 datasets. Following conventional settings from prior work [4,6,8,21], we set the maximum perturbation $ϵ$ to $8/255$, the number of iterations to $T=10$, and the step size $\alpha$ to $2/255$. The adversarial examples are generated by attacking a model ensemble that includes VGG-16 (VGG) [64], ResNet-18 (Res-18), and ResNet-50 (Res-50) [38]. Results in

Table 3. The white-box and black-box attack success rates (%) of various attack methods under the model ensemble setting. The surrogate models include VGG, Res-18, and Res-50. The target models include white-box models and black-box models (Inc-v3, Mobile, and Densenet). The datasets are CIFAR10 and CIFAR100. Here, the best results are bold.

Attack	CIFAR-10							CIFAR-100
	VGG	Res-18	Res-50	Inc-v3	Mobile	Densenet	Avg.	VGG	Res-18	Res-50	Inc-v3	Mobile	Densenet	Avg.
MI	68.7	80.1	76.0	68.5	70.7	68.2	72.0	77.1	75.0	73.9	53.3	60.7	56.6	66.1
NI	84.2	92.3	88.6	75.8	80.4	77.1	82.9	79.4	78.1	76.6	53.5	63.9	57.4	68.1
PI	83.0	51.9	48.9	28.1	29.1	34.8	38.5	61.8	66.4	65.9	28.4	36.0	35.1	48.9
VMI	75.0	83.9	81.8	74.6	76.7	74.3	77.7	88.6	85.6	84.5	68.3	75.3	69.6	78.6
VNI	86.0	92.7	89.5	81.7	84.8	82.5	86.2	91.6	88.6	87.5	71.3	78.3	72.6	81.6
EMI	92.8	92.3	89.5	90.7	90.2	85.4	90.2	89.7	87.4	86.4	73.9	79.4	74.1	81.8
RAP	93.0	90.2	88.2	89.4	91.0	83.7	89.3	92.1	86.5	86.2	74.0	78.7	71.6	81.5
PGN	93.8	90.4	89.8	90.8	92.3	87.0	90.7	93.7	87.0	84.9	75.8	81.4	72.0	82.5
SVRE	91.8	90.9	88.6	81.2	84.3	81.1	86.3	88.2	86.6	86.6	63.6	75.0	67.6	77.9
AdaEA	86.1	80.5	83.8	72.6	74.2	73.6	78.4	85.9	86.4	84.7	60.8	70.2	67.1	75.9
CWA	88.9	90.5	87.5	80.8	84.2	77.0	84.8	90.0	87.6	89.0	67.2	77.6	69.1	80.1
NG-PGN	95.1	94.5	91.0	91.8	92.7	88.4	92.3	97.5	88.2	88.7	78.9	85.6	75.2	85.7

clearly show that our method improves attack transferability on the CIFAR-10 dataset. These results demonstrate broad applicability of our NG-PGN across various datasets and supports the notion that adversarial examples situated in flat local regions tend to exhibit improved transferability across diverse models.

4.3. Combined with Input Transformation Attacks

With its high flexibility and generality, our proposed method can be integrated with input transformation methods to further enhance adversarial example transferability. To demonstrate their effectiveness, we combine NG-PGN with DIM [14], Admix [16], SSA [40] and BSR [41]. We craft adversarial examples using a model ensemble comprising Res-101, Inc-v3, Inc-v4, and IncRes-v2, and evaluate their transferability on both normally and adversarially trained models. Figure 3 shows the attack success rates of adversarial examples generated by these input transformation methods, both individually and combined with NG-PGN. Our method demonstrates significant improvements when combined with these approaches. For instance, SSA achieves only a 65.1% average success rate across adversarially trained models; however, when integrated with our NG-PGN method, this rate increases to 87.3%, representing a 22.2% enhancement. Notably, after incorporating these input transformation-based methods, our NG-PGN achieves significantly better results on all target models compared to those shown in Table 1. This highlights the scalability of our method and its effectiveness in improving the success rates of transfer-based black-box attacks when combined with existing techniques.

4.4. Visualization of Attack Influence

(1) 

Loss landscape: To validate that our proposed NG-PGN method helps adversarial examples find flatter maxima regions, we compare the loss surface maps of adversarial examples generated by various attack methods on a surrogate model ensemble (Inc-v3, Res-101, Inc-v4, and IncRes-v2). The adversarial example is positioned at the center of the loss landscape. We randomly select one image from the dataset and visualize loss surfaces of corresponding adversarial examples generated by different attack methods in Figure 4. The comparison reveals that the adversarial examples generated by our approach reside in larger and smoother local maxima regions.

(2) 

Heatmap: Furthermore, to intuitively illustrate the attack performance, we visualize the attention heatmaps of a clean image and adversarial examples generated by different methods under the black-box ResNet-152 model in Figure 5. As shown in Figure 5a, ResNet-152 focuses on the primary object in the clean image. Figure 5b–k demonstrate that although the attention shifts slightly under adversarial perturbations from other attack methods, it still largely aligns with the focus of the clean image. In contrast, as depicted in Figure 5l, the attention induced by adversarial examples generated by NG-PGN deviates significantly, no longer concentrating on semantically relevant regions.

4.5. Quantitative Comparison on Loss Landscape Flatness

We note that flatness is commonly characterized by second-order curvature measures. We quantitatively evaluate the loss landscape flatness of the generated adversarial examples by MI, RAP, PGN, CWA, and our NG-PGN based on the Hessian trace, which is calculated using the method introduced in the work [65]. To ensure a fair comparison, we calculate the average of the Hessian trace of all adversarial examples generated on the ensemble including Res-101, Inc-v3, Inc-v4 and IncRes-v2. A lower Hessian trace directly indicates a flatter loss region. As reported in

Table 4. The comparison of the Hessian trace of MI, RAP, PGN, CWA and NG-PGN.

Method	MI	RAP	PGN	CWA	NG-PGN
Hessian Trace	16.2	14.5	12.8	11.6	10.3

, NG-PGN can significantly reduce the Hessian trace compared to the other four methods, which indicates that the generated adversarial examples converge to smoother, flatter regions.

4.6. Validation of the Fisher Information Matrix Approximation

To validate the effectiveness of the empirical Fisher information matrix approximation proposed in Section III-E, we conducted comparative experiments on the CIFAR-10 dataset between the full Fisher matrix (Equation (18)) and its diagonalized counterpart (Equation (20)). To comprehensively demonstrate the performance of the Empirical Fisher, we further provide the following three in-depth comparisons against the full Fisher information matrix. Results in

Table 5. A comparison of Attack success rate, time complexity, and computational cost between Empirical Fisher and Full Fisher Matrix.

Method	Empirical Fisher	Full Fisher Matrix
Attack success rate (%) ↑	92.3	93.5
Time cost (s) ↓	4.45	77.6
Memory usage (GB) ↓	0.3	12.5

demonstrate that the diagonal approximation preserves competitive attack capability, achieving an average success rate of 92.3% compared to 93.5% for the full matrix method, with statistically insignificant transferability degradation. Crucially, the computational efficiency improved substantially: For a 32 × 32 × 3 image and a surrogate model ensemble including VGG, Res-18 and Res-50, the full matrix method required 77.6 s per iteration and 12.5 GB memory due to covariance computations across all gradient dimensions, while the diagonal approximation reduced runtime to 4.45 s (94% reduction) and memory consumption to 0.3 GB (97.6% reduction) by retaining only the expectation of squared gradient components. These findings confirm that the empirical approximation maintains near-equivalent attack potency while resolving the prohibitive computational overhead of the full Fisher matrix, enabling practical deployment in resource-constrained scenarios.

4.7. Computational Cost and Efficiency Analysis

To evaluate the practical efficiency of the proposed NG-PGN method, we conduct a comparison of its computational cost against representative gradient-based attacks. We measure both the average time per iteration and the total attack time for different attack methods. The compared methods include MI, VMI, EMI, RAP, PGN, and the proposed NG-PGN.

Table 6. The comparison of the computational cost of different methods.

Method	MI	VMI	EMI	RAP	PGN	NG-PGN
Time/Iter (s)	0.8	2.9	2.1	26.2	11.1	11.3
Total Attack Time (s)	8.9	30.5	20.4	269.4	110.5	112.4

reports the computational cost of different methods attacking a 10-image batch (10 × 299 × 299 × 3). We can observe that while NG-PGN is more expensive than simple first-order methods such as MI and EMI, this overhead is expected since PGN and NG-PGN both require additional gradient evaluations to optimize flat maxima. Importantly, NG-PGN maintains the same asymptotic computational complexity as PGN, as the proposed diagonal and empirical Fisher approximation avoids explicit matrix construction and inversion.

4.8. Ablation Study on Metrics

Standard SAM defines the neighborhood around adversarial examples as a Euclidean ball. We extend this by incorporating input space geometry and adapting it to a manifold. Table 1, Table 2 and Table 3 show that NG-PGN outperforms PGN, supporting the effectiveness of manifold metrics. To further validate this, we compare SAM under Euclidean and manifold metrics in

Table 7. The untargeted black-box attack success rates (%) of SAM under the model ensemble setting, using Euclidean and non-Euclidean neighborhoods, respectively.

Attack	Res-152	Dense-121	ViT-B	Swin-B	Avg.
SAM	71.6	78.5	43.7	50.4	61.1
NG-SAM	75.2	83.0	47.8	51.3	64.3

. In black-box attacks on normally trained models, the manifold consistently outperforms the Euclidean version, confirming its advantage in enhancing transferability.

To quantify the impact of manifold extension on loss flatness, we compute the Hessian trace of Inc-v3 at PGN and NG-PGN adversarial examples. The trace, as the sum of eigenvalues, reflects curvature—lower values indicate flatter maxima. As shown in

Table 8. A comparison of the Hessian trace at generated adversarial examples, time complexity, and computational cost between PGN and NG-PGN.

Method	PGN	NG-PGN
Hessian trace ↓	12.8	10.3
Time complexity	$O\left(n\right)$	$O\left(n\right)$
Computational cost (s) ↓	110.5	112.4

(row 1), NG-PGN reduces the trace by 25% over PGN, indicating smoother loss regions. Additionally, our Fisher matrix approximation reduces NG-SAM’s complexity to $O\left(2n\right)$—matching SAM—with n as image size. We compare NG-PGN and PGN runtime on a single NVIDIA 4090 GPU using a 10-image batch (299 × 299 × 3), shown in Table 8 (row 3). NG-PGN improves adversarial transferability while maintaining low computational cost.

4.9. Ablation Study on Hyper-Parameters

(1) 

The Balancing Coefficient $\mathit{\delta }$: As $\mathbf{0}<\mathit{\delta }<\mathbf{1}$, the proposed attack is termed NG-PGN. According to the Proof in Section 3.2, when $\mathit{r}$ is fixed, increasing $\mathit{\delta }$ is equivalent to increasing the weight $\mathit{\lambda }$ of the gradient norm penalty term. Conversely, for fixed $\mathit{\lambda }$, increasing $\mathit{\delta }$ is equivalent to reducing the size $\mathit{r}$ of the neighborhood. As shown in the following Figure 6a, the attack success rates achieve the peak for these black-box models when setting $\mathit{\delta }$ to $\mathbf{0.5}$.

(2) 

The maximum perturbation $\mathit{ϵ}$: The impact of perturbation magnitude $\mathit{ϵ}$ on the attack success rates of NG-PGN is illustrated in Figure 6b. We observe that a larger perturbation results in higher attack success rates. To balance the attacks success rates and the imperceptibility of adversarial examples, we set the perturbation size to $\mathbf{16}/\mathbf{255}$ in our experiments.

(3) 

The size of neighborhood $\mathit{r}$: In SAM, the size of neighborhood $\mathit{r}$ constrains the distance between the worst-case and the current point, which also applies to manifolds with non-Euclidean measures. As shown in Figure 6c, we study the influence of the $\mathit{r}$ in the NG-PGN and NG-SAM. As we increase $\mathit{r}$ from $\mathit{\alpha }$ to $\mathbf{5}·\mathit{\alpha }$, the transferability increases and achieves the peak at $\mathit{r}=\mathbf{3}·\mathit{\alpha }$.

4.10. Further Analysis

(1) 

Whydoes NG-SAM underperform NG-PGN? Under small iteration step sizes, NG-SAM demonstrates poor performance, particularly exhibiting lower transferability on normally trained models. We argue that the SAM strategy primarily guides adversarial examples toward flat regions of the loss landscape, without significantly increasing the loss value. To support this claim, we conducted a comparison experiment with NG-SAM at different step sizes. Figure 7a shows the attack success rates of NG-SAM vary with different values of $\alpha$, and Figure 7b shows the loss gap between NG-SAM using different step sizes. The attack success rates increase as the loss value rises, further confirming our argument.

(2) 

Attack large visual language models: Furthermore, to illustrate the effectiveness of adversarial examples generated by NG-PGN, we conducted experiments on three large visual language models: GPT-4o (https://chat.openai.com/chat, accessed on 29 December 2025), ChatGLM-4.1v (https://chatglm.cn/main/alltoolsdetail?lang=en, accessed on 29 December 2025), and Google Gemini 2.0 (https://gemini.google.com/app, accessed on 29 December 2025). The surrogate models for generating adversarial examples include ViT-B and Swin-B. As shown in Figure 8, these models are fooled to varying degrees when describing the adversarial images. For instance, ChatGPT-4o and ChatGLM incorrectly identified the species, while Gemini miscounted the number of animals in the adversarial example.

5. Conclusions

Transferability allows adversarial examples to effectively attack a target model without any prior knowledge of it. It is widely recognized that adversarial examples at flat maxima of the loss landscape can exhibit higher transferability. SAM and PGN are efficient methods for finding flat maxima and have been shown to enhance adversarial transferability in transfer-based attacks. In this paper, we build upon the concept of flat maxima but incorporate the information geometry of the image space when defining the neighborhood around the input. To reduce computational effort, we approximate the Fisher information matrix for adversarial examples empirically as a diagonal matrix and estimate it within a model ensemble setting. Extensive experiments on the ImageNet-compatible, CIFAR-10, and CIFAR-100 datasets demonstrate that combining the proposed manifold extensions with a model ensemble attack generates adversarial examples with higher transferability compared to SAM, PGN, and other transfer-based attacks. Finally, although existing works have verified that flat maxima can improve transferability from a generalization perspective, a theoretical analysis is still not enough. In addition, the current implementation adopts fixed hyperparameters, such as step size and neighborhood radius, following standard settings in prior work. Future research could explore adaptive step-size strategies or dynamically adjusted neighborhood sizes to further improve efficiency and robustness. We hope our work further elucidates the mechanism of flat maxima in generating highly transferable adversarial examples.