Boosting Adversarial Transferability via Region-Wise PCGrad and Margin-Guided Adaptive Weighting for Ensemble Attack

Adversarial attacks have been extensively studied in recent years to investigate the vulnerability mechanisms of deep neural networks and enhance model robustness and security. However, the transferability of adversarial examples across different models remains a fundamental challenge in black-box attacks. Existing ensemble attack methods primarily aggregate gradient information from multiple surrogate models through simple averaging, failing to consider gradient conflicts and cancellations among heterogeneous models, which results in poor transferability. To address this limitation, we propose a novel ensemble adversarial attack method called Region-wise PCGrad and Margin-Guided Adaptive Weighting Ensemble Attack (RPMGEA). To tackle gradient conflicts, we adopt a region-wise PCGrad method that divides gradient maps into semantically relevant regional blocks for conflict resolution. To address weight allocation issues, we directly measure transferability contributions by evaluating decision boundary changes caused by temporary adversarial examples generated from each model’s gradients across all models, thereby adaptively allocating weights to the models. RPMGEA significantly enhances the transferability of ensemble attacks, achieving average attack success rates of up to 93.7% and 90.4% on conventional and adversarial training models, respectively, and up to 88.9% on defense models, demonstrating superior performance compared to existing state-of-the-art ensemble attack methods.