Key points are not available for this paper at this time.
Transferability captures the ability of an attack against a machine-learning to be effective against a different, potentially unknown, model. evidence for transferability has been shown in previous work, but the reasons why an attack transfers or not are not yet well understood. this paper, we present a comprehensive analysis aimed to investigate the of both test-time evasion and training-time poisoning attacks. provide a unifying optimization framework for evasion and poisoning attacks, a formal definition of transferability of such attacks. We highlight two factors contributing to attack transferability: the intrinsic adversarial of the target model, and the complexity of the surrogate model to optimize the attack. Based on these insights, we define three metrics impact an attack's transferability. Interestingly, our results derived theoretical analysis hold for both evasion and poisoning attacks, and are experimentally using a wide range of linear and non-linear and datasets.
Demontis et al. (Sat,) studied this question.