Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in Coakley et alK. L. Coakley, T. Snelleman, H. Hoos, and O. E. Gundersen, "The embrace of open science: An analysis of a decade of AI research and 56 800 conference papers," Under Review, 2026..
Dual-Flow: Transferable Multi-Target, Instance-Agnostic Attacks via $\textit{In-the-wild}$ Cascading Flow Optimization
Authors: Yixiao Chen, Shikun Sun, Jianshu Li, Ruoyu Li, Zhe Li, Junliang Xing
NeurIPS 2025 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Extensive experiments demonstrate that Dual-Flow significantly improves transferability over previous multi-target generative attacks. For example, it increases the success rate from Inception-v3 to Res Net-152 by 34.58%. Furthermore, our attack method shows substantially stronger robustness against defense mechanisms, such as adversarially trained models. |
| Researcher Affiliation | Collaboration | Yixiao Chen1, , Shikun Sun1, , Jianshu Li2, Ruoyu Li2, Zhe Li2, Junliang Xing1 1Tsinghua University, 2Ant Group EMAIL, EMAIL, EMAIL |
| Pseudocode | Yes | Algorithm 1 Cascading Distribution Shift Training Input: τ = Nδ, stepsize δ, model param. ϕ, θ, source model f, target labels set C, training dataset {Ii}i I, learning rate lr Initialize θ = ϕ. repeat get x0 = Ii sample c C for t = 1 to N do xtδ = x(t 1)δ + vϕ(x(t 1)δ, (t 1)δ, )δ end for for t = N to 1 do x(t 1)δ = xtδ vθ(xtδ, tδ, c)δ c x0 = xtδ vθ(xtδ, tδ, c)tδ c x0 = clip (c x0, x ϵ, x + ϵ) θ = θ lr θ(CE(f(c x0), c)) end for end for until vθ convergence Return: Dual-Flow {vϕ, vθ} Algorithm 2 Dual-Flow Sampling Input: τ = Nδ, stepsize δ, image I, target label c, Dual-Flow {vϕ, vθ} x = I. for t = 1 to N do xtδ = x(t 1)δ + vϕ(x(t 1)δ, (t 1)δ, )δ end for for t = N to 1 do x(t 1)δ = xtδ vθ(xtδ, tδ, c)δ end for x0 = clip (x0, x ϵ, x + ϵ) Return: x0 |
| Open Source Code | Yes | The code of Dual-Flow is available at: https://github.com/Chyxx/Dual-Flow. |
| Open Datasets | Yes | Dataset. Following [69, 18, 17], we train the model on the Image Net training set[10] and evaluate the attack performance using Image Net-Neur IPS (1k) dataset proposed by Neur IPS 2017 adversarial competition[44]. |
| Dataset Splits | Yes | Dataset. Following [69, 18, 17], we train the model on the Image Net training set[10] and evaluate the attack performance using Image Net-Neur IPS (1k) dataset proposed by Neur IPS 2017 adversarial competition[44]. Transferability Evaluation On Image Net Validation Set. In addition to the evaluation on the Image Net-Neur IPS (1k) dataset[44], we conducted an assessment of our attack method on the Image Net validation set (50k)[10] and compared it with the state-of-the-art multi-target attack method, CGNC[17]. |
| Hardware Specification | Yes | For multi-target training, we use a learning rate of 2.5 10 5 and a total batch size of 8 (distributed across two NVIDIA RTX 3090 GPUs, each with 24GB memory and batch size 4). Training under this setting takes approximately one day to complete. For single-target fine-tuning, we set the learning rate to 1 10 5 and a batch size of 4, conducted on a single NVIDIA RTX 3090 GPU, which requires approximately 4 hours. |
| Software Dependencies | No | Implementation Details. We adopt stable-diffusion [48] as our pre-trained diffusion model. We set τ = 0.25 and N = 6 for training and testing. The Lo RA rank is 16. For normally trained models (including transformer models), we directly call these models and their weights through the torchvision [40] or timm [63] libraries. |
| Experiment Setup | Yes | Implementation Details. We adopt stable-diffusion [48] as our pre-trained diffusion model. We set τ = 0.25 and N = 6 for training and testing. The Lo RA rank is 16. Following previous work [69, 18, 17], we choose Res-152 and Inc-v3 as source models to train our model. The perturbation budget ϵ is 16/255. We conduct 50k steps of training for multi-target tasks. To compare our method with other single-target attacks, we further fine-tune our model for an additional 10k steps to specialize in a single target class(more details provided in Appendix D.2). For multi-target training, we use a learning rate of 2.5 10 5 and a total batch size of 8 (distributed across two NVIDIA RTX 3090 GPUs, each with 24GB memory and batch size 4). Training under this setting takes approximately one day to complete. For single-target fine-tuning, we set the learning rate to 1 10 5 and a batch size of 4, conducted on a single NVIDIA RTX 3090 GPU, which requires approximately 4 hours. |