A High-Transferability Adversarial Sample Generation Method Incorporating Frequency Domain Transformations

Abstract

Adversarial attack methods have achieved satisfactory results in white-box attack scenarios, but their performance declines when transferred to other deep neural network (DNN) models. Currently, there are many methods to improve the transferability of adversarial samples, and enhancing transferability through input transformations is an effective approach. However, most existing input transformations are performed in the spatial domain, neglecting transformations in the frequency domain. Therefore, this paper proposes a novel input transformation-based attack: the frequency domain enhancement (FDE) method, which performs input transformations in the frequency domain to increase input diversity. Specifically, this method processes input images in the frequency domain, suppresses high-frequency information in the input images, and then randomly amplifies certain frequency domain information, generating adversarial samples with stronger transferability. Experimental results show that adversarial samples generated through FDE demonstrate significant improvement in transferability on both undefended and defended models on the ImageNet dataset. Notably, this method can be combined with many existing techniques to further enhance the transferability of adversarial samples.

1. Introduction

In recent years, DNN [1,2,3,4] have achieved tremendous success in the field of computer vision, including applications such as autonomous driving, facial recognition, and object detection. However, the stability of DNN remains a concern for the general public. Researchers such as Szegedy and Goodfellow [5,6] have highlighted the existence of adversarial attacks, where carefully designed but imperceptible perturbations are added to natural images, enabling adversarial samples to successfully deceive DNN models. Thus, designing effective attack methods to verify the robustness of DNN models before deploying them in critical domains, such as autonomous driving, is of paramount importance.

Adversarial attacks can be categorized into white-box and black-box attacks. In white-box attacks, the victim model is fully transparent to the attacker, who has access to all information, including the victim model architecture and parameters, resulting in a high success rate for the adversarial samples. However, because it is challenging to gain access to all information about the victim model, white-box attacks are not feasible in real-world environments. Due to the inherent transferability of adversarial samples across various DNN models, many researchers have focused on black-box attack scenarios. In black-box attacks, adversarial samples are crafted using a reference white-box model and then transferred to the black-box model for attacking. When the differences between the white-box and black-box models are substantial, or the adversarial samples are overly fitted to the original reference white-box model, their transferability decreases.

To address this issue, researchers have proposed several techniques to enhance the transferability of adversarial samples, including gradient calculation-based methods [7,8], input transformations [7,9,10,11,12,13], and feature-level attacks [14,15]. Among these, input transformation has emerged as one of the most effective methods, which is conceptually similar to data augmentation techniques used in model training. This is also the main focus of our research. The objective of applying transformations to input images is to reduce the overfitting of the generated adversarial samples to the original reference white-box model, thereby improving transferability.

Existing input transformations are mostly conducted in the spatial domain, but transformations in the frequency domain, as shown in traditional image processing research, can often achieve similar effects to those in the spatial domain. This paper proposes a frequency domain enhancement (FDE) method, which processes images in the frequency domain to generate adversarial samples with stronger transferability. Firstly, FDE performs image transformations in the frequency domain by suppressing high-frequency information while preserving low-frequency information, and then partially enhancing specific components in the frequency domain. Experimental results demonstrate that adversarial samples generated by FDE achieve higher transferability when attacking multiple recognition models. Overall, the main contributions of this paper are as follows:

• This study finds that the patterns in the frequency domain of images are relatively consistent, allowing for more convenient modifications to specific regions of an image by altering its frequency domain. Such modifications are difficult to achieve in the spatial domain, and they can help generate adversarial samples with higher transferability.
• This paper proposes a novel method of frequency domain transformation and finds that suppress high-frequency information in the input image, while enhancing the frequency domain information of specific regions, is beneficial for improving the transferability of generated adversarial samples.
• This paper conducts extensive experiments to demonstrate the superiority of the frequency domain enhancement (FDE) method, which exhibits excellent transferability across both standard models and defense models. Furthermore, combining FDE with existing methods can enhance the transferability of the generated adversarial samples.

2. Related Work

Szegedy et al. [5] highlighted the vulnerability of DNN to adversarial samples, which can cause the model to misclassify with a high probability. They employed the LBFGS method to generate adversarial samples. Since then, adversarial samples have been extensively studied.

Depending on the level of access to model information, current attack methods can be classified into white-box and black-box attacks. White-box attacks, such as the fast gradient sign method (FGSM) [6], suggest that the existence of adversarial samples is due to the linear characteristics of DNN and use gradient ascent to maximize the loss. Iterative FGSM (I-FGSM) [16] extends FGSM by iteratively applying small perturbations in the direction of gradient increase. DeepFool [17] generates minimal norm adversarial perturbations through an iterative calculation method, pushing images beyond the classification boundary until misclassification occurs. In practice, attackers usually do not have access to the internal information of the model, making black-box attacks more relevant. Black-box attacks can be broadly divided into query-based [18,19] and transfer-based approaches. Query-based attacks focus on estimating the target model’s gradient by interacting with it. Transfer-based attacks include gradient calculation-based methods, input transformation-based methods and feature-level attacks. Momentum Iterative FGSM (MI-FGSM) [8] proposes an iterative generation method based on momentum to avoid getting trapped in local optima. Diverse input FGSM (DI-FGSM) [9] randomly adjusts the size of the input image and applies padding. Translation-invariant FGSM (TI-FGSM) [20] smooths gradients using a Gaussian kernel. Feature importance-aware (FIA) [14] introduces aggregated gradients to capture feature importance, averaging gradients over the feature maps of the source model. Spectrum simulation attack (SSA) [21] converts images to the frequency domain and applies random masks, generating diverse spectral saliency maps that reflect the diversity of substitute models. Other transfer-based methods include scale-invariant (SI) [7], which leverages the scale-invariance property of CNN by computing the average gradient over multiple scaled images, and the Nesterov iterative (NI) [7], which incorporates the Nesterov accelerated gradient method into iterative gradient-based attacks to mitigate local optima during the optimization process. Object diversity-based input (ODI) [10] renders images on different 3D objects, drawing adversarial images on these objects. Admix [11] randomly samples images from other classes and mixes them with the original image for gradient calculation. Linear backpropagation (LinBP) [22] removes certain ReLU layers from the source model to reduce their impact during forward and backward computations, making the model more linear. Backward propagation attack (BPA) [23] identifies that non-linear layers (ReLU, max-pooling) truncate gradients during backpropagation, reducing adversarial sample transferability. BPA uses a non-monotonic function as the derivative of ReLU and combines softmax with a temperature parameter to smooth the derivative of max-pooling. Affordable and generalizable substitute (AGS) [24] believes that current adversarial attacks are all based on pre-trained models used as source models; however, these models are not specifically developed for adversarial attacks. Therefore, they propose a training architecture tailored for adversarial attacks. By employing various techniques, these methods enhance the transferability of adversarial samples across different DNN models, providing insights into their robustness and adaptability in both standard and defense models.

3. Methodology

This paper focuses on the transferable attacks of adversarial samples. It begins with an introduction to basic attack methods [6,8,16,21], followed by a detailed description of the frequency domain enhancement (FDE) method and its underlying motivation.

3.1. Preliminary

First, we define f (·) as a neural network classifier, θ as the model parameters, and $x$ as the input image with the true label y. Let J denote the loss function. The goal of an adversarial attack is to generate an adversarial perturbation $\delta$ such that the adversarial example $x^{\mathrm{adv}}=x+\delta$ leads to misclassification by the model, i.e., $f(x+\delta )\ne$ y. To ensure that the perturbation $\delta$ is imperceptible to the human eye, an ${\mathcal{l}}_{\mathrm{\infty }}-\mathrm{norm}$ constraint is applied, represented as ${∥\delta ∥}_{\infty }\le ϵ$, where $ϵ$ denotes the maximum perturbation magnitude. Therefore, the process of generating an adversarial perturbation can be viewed as an optimization problem, as shown in Equation (1):

$$x^{adv}=\underset{{∥\delta ∥}_{\infty }\le ϵ}{argmax}\mathrm{J}\left(x^{adv},\mathrm{y};\mathsf{\theta }\right)$$

(1)

where $J\left(x^{adv},y;\theta \right)$ represents the cross-entropy loss function.

In black-box attacks, the model parameters $\theta$ are not accessible. Therefore, the common approach is to solve the optimization problem on a substitute model to generate adversarial samples. Here, we introduce some other attack methods. The adversarial samples generated by the fast gradient sign method (FGSM) [6] are formulated as follows:

$$x^{adv}=x+ϵ\cdot sign\left({\mathsf{\nabla }}_{x}J\left(x, y;\theta \right)\right)$$

(2)

where ${\mathsf{\nabla }}_{x}J\left(x,y;\theta \right)$ represents the gradient of the loss function with respect to $x$, sign($\cdot$) is the sign function.

The iterative fast gradient sign method (I-FGSM) [16] is an improved version of FGSM. Instead of adding a single-step perturbation in the direction of the gradient as in FGSM, I-FGSM introduces multiple small perturbations iteratively in the direction of the gradient. The magnitude of each perturbation is controlled by α, and the gradient direction is recalculated at each step. The formula is as follows:

$$x_0^{adv}=x$$

(3)

$$x_{t+1}^{adv}={\mathrm{C}\mathrm{l}\mathrm{i}\mathrm{p}}_x^{\epsilon }\{x_t^{adv}+\mathsf{\alpha }\cdot \mathit{sign}\left({\mathsf{\nabla }}_{x}J\left(x_t^{adv}, y;\theta \right)\right)$$

(4)

where $x_{\mathrm{t}}^{\mathit{adv}}$ represents the adversarial example generated at the t-th iteration,${ \mathrm{C}\mathrm{l}\mathrm{i}\mathrm{p}}_x^{\mathsf{\epsilon }}(\cdot )$ denotes an element-wise clipping operation to ensure $x_{\mathrm{t}}^{\mathit{adv}}\in [x-\epsilon ,x+\epsilon ]$, and $\alpha$ is the step size.

The momentum iterative fast gradient sign method (MI-FGSM) [8] integrates the technique of I-FGSM by accumulating a velocity vector in the direction of the gradient of the loss function during the iteration process to accelerate the gradient descent algorithm. The formula is as follows:

$$g_{t+1}=\mu \cdot g_t+{\displaystyle \frac{{\mathsf{\nabla }}_{x_t^{adv}}J\left(x_t^{adv}, y;\theta \right)}{\parallel {\mathsf{\nabla }}_{x_t^{adv}}J\left(x_t^{adv}, y;\theta \right){\parallel }_1}}$$

(5)

$$x_{t+1}^{adv}={\mathrm{C}\mathrm{l}\mathrm{i}\mathrm{p}}_x^{\mathsf{\epsilon }}\{x_t^{adv}+\alpha \cdot sign\left(g_{t+1}\right)\}$$

(6)

where $g_t$ is the accumulated gradient at the t-th iteration, and $g_t=0$. $\mu$ represents the decay factor, which is typically set to 1.

3.2. Frequency Domain Enhancement

Previous work [1,2,25,26] has shown that different models often rely on different frequency components of each input image when making decisions. From a frequency domain perspective, Long at al. [21] explores the correlation between models by enhancing the image in the frequency domain after applying a discrete cosine transform (DCT). After a DCT transformation, the low-frequency components of an image are concentrated in the upper-left corner of the spectrum. Compared to the spatial domain, information in the frequency domain is more stable. The formula for transforming an image signal from the spatial domain to the frequency domain using DCT is as follows:

$${DCT\left(x\right)}_{[u,v]}={\displaystyle \frac{2}{E}}C\left(u\right)C\left(\nu \right){\sum }_{i=0}^{E-1}{\sum }_{j=0}^{E-1}x[i,j]cos\left[{\displaystyle \frac{\left(2i+1\right)u\pi }{2E}}\right]cos\left[{\displaystyle \frac{\left(2j+1\right)\nu \pi }{2E}}\right]$$

(7)

$x[i,j]$ represents the value of the image at the coordinate [i, j], and E denotes the size of the image, while C(u) and C(v) are compensation coefficients designed to ensure the orthogonality of the DCT matrix.

JPEG [27] compression technology achieves a high compression ratio with minimal degradation of image quality by retaining the low-frequency coefficients that are important to human vision while setting most of the high-frequency coefficients to zero. Inspired by this, we propose a new spectral transformation method, frequency domain enhancement (FDE), which improves upon the SSA [21] through a modified random spectral transformation. The formula for SSA is as follows:

$$T\left(x\right)=IDCT\left(DCT(x+\xi )\odot M\right)$$

(8)

where DCT stands for discrete cosine transform, and IDCT stands for inverse discrete cosine transform, and $\odot$ represents the Hadamard product. The values in $\xi \sim \mathcal{N}\left(0,{\sigma }^{2}I\right)$ and each element of $M~\mathcal{U}\left(1-\rho ,1+\rho \right)$ represent random elements sampled from Gaussian and uniform distributions, respectively. In the paper, $\sigma$ = 16 and $\rho$ = 0.5. It is important to note that both DCT and IDCT are lossless transformations.

The proposed frequency domain enhancement (FDE) method filters certain frequency components of the image using a weight matrix. One of the designed weight matrices, $M_1$ has the same size as the image, with values linearly decreasing from 1 at the top-left corner to 0 at the bottom-right corner. Specifically, the top-left 1/64 region has a value of 1, and the bottom-right 1/64 region has a value of 0, as shown in Figure 1a, where different colors represent the distribution of $M_1$ values. By applying the Hadamard product between $M_1$ and the spectrum, the resulting spectrum attenuates certain high-frequency components. To increase the variety of processed images, the method also designs another weight matrix, $M_2$, composed solely of 0 and 5. This matrix is used for random frequency enhancement operations. Figure 1b shows a selected weight matrix, where the black areas have a value of 5 and the white areas have a value of 1. The enhancement operation is performed by applying the Hadamard product between ${\mathrm{M}}_2$ and the spectrum elements. Finally, the inverse discrete cosine transform (IDCT) is applied to convert the image from the frequency domain back to the spatial domain, yielding the enhanced image. The formula is as follows:

$$P\left(x\right)=DCT(x+\xi )\odot M$$

(9)

$$F\left(x\right)=IDCT\left(P\right(x)\odot M_1\odot M_2(S,K))$$

(10)

S represents the area of frequency domain enhancement, with the enhanced region being randomly selected, and K denotes the enhancement coefficient in the frequency domain; $\odot$ represents the Hadamard product.

As shown in Figure 2, the transformation in the frequency domain differs from input transformations in the spatial domain. In the frequency domain, the transformation not only retains the essential semantic information but also involves color changes and effectively distinguishes important features from less significant ones. For example, in Figure 2, the main features—such as the panda, beetle, frog, and bird—are clearly separated from the background after the FDE transformation. This is because there is significant spatial correlation between pixels in the image, and DCT significantly reduces these correlations, concentrating the image’s energy in the upper-left region, representing low-frequency information, while high-frequency information is concentrated in the lower-right region. High-frequency information corresponds to the edges of the image, which often overlap with key regions of the image. Our transformation suppresses high-frequency information, guiding the adversarial samples toward improved transferability.

3.3. Attack Algorithms

In the previous section, we introduced the spectral transformation method proposed in this paper. This transformation can be combined with any gradient-based attack. The attack algorithm designed in conjunction with FGSM in this paper is as follows (Algorithm 1):

Algorithm 1. FDE-FGSM

Input: A classifier f(·) with parameters $\theta$, loss function J, clean image $x$ with true label y, the maximum perturbation magnitude $ϵ$, $\mathrm{C}\mathrm{l}\mathrm{i}\mathrm{p}\left(x,0,1\right)$ ensures that the generated pixel values remain within the range [0, 1] during the adversarial sample generation process, number of spectral transformations N, number of random enhancements Q, std $\mathsf{\sigma }$ of noise $\xi$, and number of iterations T.

Output: The adversarial example $x^{adv}$ 1: $\alpha =ϵ/T,$ $x_0^{adv}$= $x$, $g_0=0$ 2:  for t = 0 → T − 1 do 3:       for i = 1→ N do 4:             Get transformation output $x_t^{adv}=P\left(x_t^{adv}\right)$ using Equation (9) 5:             for k = 1 → Q do 6:                  Get transformation output F$\left(x_t^{adv}\right)$ using Equation (10) 7:                  Gradient calculate ${ g}_{i,k}={\mathsf{\nabla }}_{x_t^{adv}}J\left(F\left(x_t^{adv}\right),y;\theta \right)$ 8:              end for 9:        end for 10:      Average gradient: $\overline{g}={\displaystyle \frac{1}{N\ast Q}}\sum _{i=1}^N{\sum }_{k=1}^Q{ g}_{i,k}$ 11:      $x_{t+1}^{adv}={\mathrm{C}\mathrm{l}\mathrm{i}\mathrm{p}}_x^{\epsilon }\{x_t^{adv}+\alpha \cdot sign\left(\overline{g}\right)\}$ 12:      $x_{t+1}^{adv}=\mathrm{C}\mathrm{l}\mathrm{i}\mathrm{p}(x_{t+1}^{adv},0,1)$ 13:  end for 14:  $x^{adv}=x_T^{adv}$ 15:  return $x^{adv}$

4. Experiments

4.1. Experiment Setup

The experiments in this paper are based on a dataset compatible with ImageNet, which contains 1000 images with a resolution of 299 × 299 × 3. This dataset was previously used in the NIPS 2017 adversarial competition. For model selection, six commonly used normally trained models were chosen, including Inception-v3 (Inc-v3) [1], Inception-v4 (Inc-v4) [2], Inception-Resnet-v2 (IncRes-v2) [2], Resnet-v2-50 (Res-50), Resnet-v2-101 (Res-101), and Resnet-v2-152 (Res-152) [3]. Additionally, three defense models were employed: ${Inc\text{\_}v3}_{\mathrm{e}\mathrm{n}\mathrm{s}3}$, ${Inc\text{\_}v3}_{\mathrm{e}\mathrm{n}\mathrm{s}4}$, ${IncRes\text{\_}v2}_{\mathit{e}\mathit{n}\mathit{s}}$ [28].

Comparison: To demonstrate the effectiveness of the spectral transformation attack proposed in this paper, we compared it with various state-of-the-art attack methods, including MI-FGSM [8], DI-FGSM [9], TI-FGSM [8], and ${\mathrm{S}}^2\mathrm{I}$-FGSM [21]. Additionally, we also compared the combined versions of these methods, such as SIM [7], DI-MI-FGSM, VMI-FGSM [29], and ${\mathrm{S}}^2\mathrm{I}$-MI-FGSM.

Parameter settings: In all experiments, the maximum perturbation is set to $ϵ$ = 16, with the number of iterations T = 10 and step size α = ϵ/T = 1.6. For MI-FGSM, we set the decay factor $\mu$ = 1.0. For DI-FGSM, the transformation probability p = 0.5. For TI-FGSM, the kernel size k = 7. For SIM, the number of copies m = 5, and for VMI-FGSM, the neighborhood upper limit $\beta =1.5 \ast ϵ$. For ${\mathrm{S}}^2$-FGSM, we set the number of spectral transformations N = 20. For FDE, we set the number of enhancements Q = 2, enhancement area S = 70 × 70, and enhancement coefficient K = 5. For discarding high-frequency information, the generated weight matrix has the top-left 1/64 area set to 1, the bottom-right 1/64 area set to 0, and the values linearly decrease from 1 to 0 from the top-left to the bottom-right.

4.2. Attack Models

The effectiveness of the proposed method was evaluated by comparing it with benchmark methods (MI-FGSM, DI-FGSM, $S^{2}I$-FGSM). Adversarial examples generated by the proposed method were first created on four standard models and then evaluated for transferability on five standard models and three defense models.

Table 1. The table below shows the success rates of ensemble attacks based on IFGSM, with adversarial examples generated from Inc-v3, Inc-v4, IncRes-v2, and Res_152. The best results are highlighted in bold.

Model	Attack	Inc_v3	Inc_v4	Inc_res_v2	Res_50	Res_101	Res_152	${\mathit{I}\mathit{n}\mathit{c}\text{\_}\mathit{v}3}_{\mathbf{e}\mathbf{n}\mathbf{s}3}$	${\mathit{I}\mathit{n}\mathit{c}\text{\_}\mathit{v}3}_{\mathbf{e}\mathbf{n}\mathbf{s}4}$	${\mathit{I}\mathit{n}\mathit{c}\mathit{R}\mathit{e}\mathit{s}\text{\_}\mathit{v}2}_{\mathbf{e}\mathbf{n}\mathbf{s}}$
Inc_v3	MI-FGSM DI-FGSM ${\mathbf{S}}^2\mathbf{I}$-FGSM FDE-FGSM(our)	100.00 100.00 99.70 99.70	51.50 56.70 63.70 75.60	46.50 47.60 58.80 73.10	48.30 46.70 57.50 69.70	42.90 42.30 52.60 62.80	41.40 40.90 48.60 61.50	22.80 18.50 31.20 42.60	21.30 19.80 33.00 43.30	11.00 9.00 17.10 24.00
Inc_v4	MI-FGSM DI-FGSM ${\mathbf{S}}^2\mathbf{I}$-FGSM FDE-FGSM(our)	60.90 63.20 70.70 78.40	99.90 99.80 99.70 99.30	45.50 46.20 55.50 64.50	46.30 41.90 55.40 63.70	42.70 38.40 49.90 57.70	43.10 38.30 48.60 57.60	19.80 15.50 30.90 38.90	18.40 16.50 31.80 38.50	10.70 8.70 17.60 24.90
Inc_res_v2	MI-FGS MDI-FGSM ${\mathbf{S}}^2\mathbf{I}$-FGSM FDE-FGSM(our)	61.00 64.40 76.40 85.60	52.70 60.60 68.00 78.10	99.20 99.60 98.30 98.20	50.90 48.10 60.50 73.70	44.60 46.30 58.30 69.50	44.30 45.00 56.20 66.80	22.00 17.80 37.60 51.50	22.10 18.10 33.90 46.90	13.10 11.80 28.40 39.90
Res_152	MI-FGSM DI-FGSM ${\mathbf{S}}^2\mathbf{I}$-FGSM FDE-FGSM(our)	55.80 63.10 66.50 73.20	51.20 60.30 62.30 67.40	46.50 57.70 56.80 65.80	84.70 89.80 92.80 95.00	85.50 91.90 93.10 95.40	99.40 99.80 99.80 99.10	26.60 26.30 37.90 43.50	26.10 24.10 35.10 41.40	15.20 15.20 25.30 29.30

shows the transferability of the proposed method compared to other methods. The proposed method outperforms other benchmarks in terms of transferability. For example, when Inc_v3 is used as the white-box model, the transfer success rates of MI-FGSM, DI-FGSM, and ${\mathrm{S}}^2\mathrm{I}$-FGSM on Inc_res_v2 are 46.50%, 47.60%, and 58.80%, respectively, while the success rate of the proposed method is 73.00%. This significant improvement demonstrates the effectiveness of the proposed method in enhancing transferability. Additionally, when combined with other attack methods, as shown in

Table 2. The table below presents the success rates of ensemble attacks based on MI-FGSM, with adversarial examples generated from Inc-v3, Inc-v4, IncRes-v2, and Res_152. The best results are highlighted in bold.

Model	Attack	Inc_v3	Inc_v4	Inc_res_v2	Res_50	Res_101	Res_152	${\mathit{I}\mathit{n}\mathit{c}\text{\_}\mathit{v}3}_{\mathbf{e}\mathbf{n}\mathbf{s}3}$	${\mathit{I}\mathit{n}\mathit{c}\text{\_}\mathit{v}3}_{\mathbf{e}\mathbf{n}\mathbf{s}4}$	${\mathit{I}\mathit{n}\mathit{c}\mathit{R}\mathit{e}\mathit{s}\text{\_}\mathit{v}2}_{\mathbf{e}\mathbf{n}\mathbf{s}}$
Inc_v3	SIM DI-MI VMI ${\mathbf{S}}^2\mathbf{I}$-MI ${\mathbf{S}}^2\mathbf{I}$-DI-TI-MI FDE-MI(our) FDE-DI-TI-MI(our)	100.00 100.00 100.00 99.60 99.10 99.90 99.70	76.30 78.80 73.90 87.90 92.00 93.60 95.20	74.90 73.50 68.50 86.10 91.20 93.30 93.80	72.60 71.20 64.90 83.70 87.80 90.50 91.50	68.60 67.60 59.90 81.40 86.80 89.30 90.70	69.00 68.30 61.00 80.90 87.40 89.30 90.50	39.90 40.80 38.80 55.10 81.70 69.20 89.20	38.00 38.40 38.70 56.50 80.40 70.20 87.90	23.80 21.70 23.30 35.20 69.60 45.00 78.80
Inc_v4	SIM DI-MI VMI ${\mathbf{S}}^2\mathbf{I}$-MI ${\mathbf{S}}^2\mathbf{I}$-DI-TI-MI FDE-MI(our) FDE-DI-TI-MI(our)	87.60 83.10 77.40 91.20 92.70 94.20 95.60	100.00 99.90 99.90 99.40 98.10 99.30 99.10	77.60 75.30 69.00 86.30 89.20 90.20 92.60	76.40 68.90 63.90 83.50 85.80 88.10 91.30	73.70 64.80 61.70 82.60 85.20 86.60 88.60	73.30 65.50 62.20 81.80 86.40 85.80 88.50	47.60 35.90 39.00 57.40 79.20 68.20 85.90	42.60 33.70 38.60 56.40 78.30 65.20 84.40	28.80 19.70 24.20 36.50 69.80 46.00 77.10
Inc_res_v2	SIM DI-MI VMI ${\mathbf{S}}^2\mathbf{I}$-MI ${\mathbf{S}}^2\mathbf{I}$-DI-TI-MI FDE-MI(our) FDE-DI-TI-MI(our)	86.20 81.90 78.70 90.40 90.40 94.10 94.40	83.70 79.70 74.50 88.90 89.10 92.20 93.40	99.90 99.50 98.80 98.00 97.30 98.80 97.90	79.30 73.20 66.80 86.30 85.70 89.80 92.00	77.60 72.10 65.60 84.30 84.50 89.80 91.40	76.30 69.80 63.00 84.10 84.40 88.80 91.20	55.70 43.10 45.80 68.90 80.00 78.10 91.10	48.70 39.30 41.70 63.40 76.50 73.80 88.70	39.70 30.60 34.30 55.70 76.30 66.40 86.40
Res_152	SIM DI-MI VMI ${\mathbf{S}}^2\mathbf{I}$-MI ${\mathbf{S}}^2\mathbf{I}$-DI-TI-MI FDE-MI(our) FDE-DI-TI-MI(our)	76.40 85.10 72.90 87.80 93.60 91.40 94.70	73.30 83.90 67.10 86.90 93.20 89.30 93.30	71.70 80.10 65.80 85.50 92.20 90.40 93.80	95.10 95.30 92.30 97.50 98.10 97.70 98.20	95.50 96.00 92.60 97.40 97.90 97.90 98.20	99.80 99.90 99.50 99.70 99.80 99.50 99.30	47.00 51.70 46.10 62.90 85.70 71.30 89.80	43.50 48.20 41.90 59.70 84.30 68.80 87.40	29.90 34.60 30.60 46.40 79.70 55.00 83.80

, the proposed method also exhibits superior performance. For instance, when combined with the momentum-based methods, the transfer success rates on Res_152 when using Inc_v3 as the white-box model are 69.00% for SIM, 68.30% for DI-MI, 61.00% for VMI, and 80.90% for $S^{2}I$-MI, whereas the proposed method achieves a success rate of 89.30%. This further highlights the effectiveness of our method in improving transferability. When combined with TIM and DIM, our method demonstrated even stronger transferability. When using Inc_v3 as the white-box model, the transferability on non-defense models improved by 2.7–5.1% compared to ${\mathrm{S}}^2\mathrm{I}$-DI-TI-MI, and on defense models, the transferability increased by 6.5–9.2%.

4.3. Ablation Study

In this section, we examine the impact of different parameters (such as the enhancement coefficient, area, and frequency) on the transferability of adversarial samples generated using the proposed method.

First, we analyze the effect of different frequency domain enhancement areas S on the performance of FDE-MI, as shown in Figure 3a. The adversarial samples were generated on Inc_v3 with an enhancement coefficient K = 5 and frequency domain enhancement iterations Q = 2. It can be observed that the highest transferability is achieved when S is set to 70 × 70. However, when S exceeds 70 × 70, the transferability begins to decline. This decline may be due to the larger enhancement area causing significant alterations to the image, potentially changing its semantic content.

In Figure 3b, we investigate the effect of different enhancement coefficients K on transferability. For this experiment, we fixed the enhancement area S = 70 × 70 and the frequency domain enhancement iterations Q = 2. The results show that the best transferability is achieved when K is between 5 and 7. However, when K exceeds 7, the success rate begins to decrease, likely because an excessively large enhancement coefficient causes the image to lose its essential semantic information.

In Figure 3c, we study the impact of the number of enhancements Q on transferability, with the enhancement area S set to 70 × 70 and the enhancement coefficient K set to 5. The results indicate that performance improves as the number of enhancements Q increases. Notably, even after a single enhancement (Q = 1), as shown in Figure 4, FDE achieves success rates of 91.50%, 92.20%, 88.50%, 86.70%, and 86.40% on Inc_v4, Inc_res_v2, Res_50, Res_101, and Res_152, respectively, which are significantly higher than the corresponding success rates of 87.90%, 86.10%, 83.70%, 81.40%, and 80.90% achieved by $S^{2}I$-MI. This demonstrates the effectiveness of the proposed method.

In Figure 5, we study the impact of two types of frequency domain modifications in FDE on the transferability of generated adversarial samples. The FDE-FGSM method was applied on Inc_v3 with an enhancement coefficient K = 5, frequency domain enhancement iterations Q = 2, and enhancement area S = 70 × 70. The performance was evaluated across five models. The results indicate that both types of frequency domain operations play a crucial role in enhancing the transferability of the generated adversarial samples using the proposed method.

5. Conclusions

In this paper, we propose a novel frequency domain enhancement method, termed FDE, which enhances images from a frequency domain perspective to improve the transferability of generated adversarial samples. Specifically, for an input image, we suppress the high-frequency information while enhancing the frequency domain information in certain regions. Extensive experiments demonstrate that FDE outperforms baseline methods in terms of transferability and can be further combined with existing approaches to enhance transferability. In future work, we plan to continue exploring the frequency domain of images to develop more robust adversarial attack methods.