{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,21]],"date-time":"2025-10-21T15:51:29Z","timestamp":1761061889221,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":34,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,10,16]],"date-time":"2023-10-16T00:00:00Z","timestamp":1697414400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,10,16]]},"DOI":"10.1145\/3607199.3607227","type":"proceedings-article","created":{"date-parts":[[2023,10,3]],"date-time":"2023-10-03T22:30:51Z","timestamp":1696372251000},"page":"315-329","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":10,"title":["Your Attack Is Too DUMB: Formalizing Attacker Scenarios for Adversarial Transferability"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5963-4599","authenticated-orcid":false,"given":"Marco","family":"Alecci","sequence":"first","affiliation":[{"name":"University of Luxembourg, Luxembourg"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3612-1934","authenticated-orcid":false,"given":"Mauro","family":"Conti","sequence":"additional","affiliation":[{"name":"University of Padua, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5282-0965","authenticated-orcid":false,"given":"Francesco","family":"Marchiori","sequence":"additional","affiliation":[{"name":"University of Padua, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6249-0899","authenticated-orcid":false,"given":"Luca","family":"Martinelli","sequence":"additional","affiliation":[{"name":"University of Padua, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6749-6608","authenticated-orcid":false,"given":"Luca","family":"Pajola","sequence":"additional","affiliation":[{"name":"University of Padua, Italy"}]}],"member":"320","published-online":{"date-parts":[[2023,10,16]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Proceedings, Part XXIII. Springer, 484\u2013501","author":"Andriushchenko Maksym","year":"2020","unstructured":"Maksym Andriushchenko, Francesco Croce, Nicolas Flammarion, and Matthias Hein. 2020. Square attack: a query-efficient black-box adversarial attack via random search. In Computer Vision\u2013ECCV 2020: 16th European Conference, Glasgow, UK, August 23\u201328, 2020, Proceedings, Part XXIII. Springer, 484\u2013501."},{"key":"e_1_3_2_1_2_1","volume-title":"Bridging the Gap Between Adversarial ML Research and Practice. arXiv preprint arXiv:2212.14315","author":"Apruzzese Giovanni","year":"2022","unstructured":"Giovanni Apruzzese, Hyrum\u00a0S Anderson, Savino Dambra, David Freeman, Fabio Pierazzi, and Kevin\u00a0A Roundy. 2022. \" Real Attackers Don\u2019t Compute Gradients\": Bridging the Gap Between Adversarial ML Research and Practice. arXiv preprint arXiv:2212.14315 (2022)."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/NCA.2018.8548327"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/1128817.1128824"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1613\/jair.953"},{"key":"e_1_3_2_1_6_1","volume-title":"Captcha Attack: Turning Captchas Against Humanity. arXiv preprint arXiv:2201.04014","author":"Conti Mauro","year":"2022","unstructured":"Mauro Conti, Luca Pajola, and Pier\u00a0Paolo Tricomi. 2022. Captcha Attack: Turning Captchas Against Humanity. arXiv preprint arXiv:2201.04014 (2022)."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1609\/icwsm.v11i1.14955"},{"volume-title":"28th USENIX security symposium","author":"Demontis Ambra","key":"e_1_3_2_1_8_1","unstructured":"Ambra Demontis, Marco Melis, Maura Pintor, Jagielski Matthew, Battista Biggio, Oprea Alina, Nita-Rotaru Cristina, Fabio Roli, 2019. Why do adversarial attacks transfer? explaining transferability of evasion and poisoning attacks. In 28th USENIX security symposium. USENIX Association, 321\u2013338."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","unstructured":"Yinpeng Dong Tianyu Pang Hang Su and Jun Zhu. 2019. Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks. 4307\u20134316. https:\/\/doi.org\/10.1109\/CVPR.2019.00444","DOI":"10.1109\/CVPR.2019.00444"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISBI.2018.8363576"},{"key":"e_1_3_2_1_11_1","volume-title":"Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572","author":"Goodfellow J","year":"2014","unstructured":"Ian\u00a0J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3270101.3270103"},{"key":"e_1_3_2_1_13_1","volume-title":"arXiv preprint arXiv:2207.05164","author":"Grosse Kathrin","year":"2022","unstructured":"Kathrin Grosse, Lukas Bieringer, Tarek\u00a0Richard Besold, Battista Biggio, and Katharina Krombholz. 2022. \" Why do so?\"\u2013A Practical Perspective on Machine Learning Security. arXiv preprint arXiv:2207.05164 (2022)."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_1_15_1","volume-title":"Torchattacks: A pytorch repository for adversarial attacks. arXiv preprint arXiv:2010.01950","author":"Kim Hoki","year":"2020","unstructured":"Hoki Kim. 2020. Torchattacks: A pytorch repository for adversarial attacks. arXiv preprint arXiv:2010.01950 (2020)."},{"key":"e_1_3_2_1_16_1","volume-title":"One weird trick for parallelizing convolutional neural networks. arXiv preprint arXiv:1404.5997","author":"Krizhevsky Alex","year":"2014","unstructured":"Alex Krizhevsky. 2014. One weird trick for parallelizing convolutional neural networks. arXiv preprint arXiv:1404.5997 (2014)."},{"volume-title":"Artificial intelligence safety and security","author":"Kurakin Alexey","key":"e_1_3_2_1_17_1","unstructured":"Alexey Kurakin, Ian\u00a0J Goodfellow, and Samy Bengio. 2018. Adversarial examples in the physical world. In Artificial intelligence safety and security. Chapman and Hall\/CRC, 99\u2013112."},{"key":"e_1_3_2_1_18_1","volume-title":"A new generation of perspective api: Efficient multilingual character-level transformers. arXiv preprint arXiv:2202.11176","author":"Lees Alyssa","year":"2022","unstructured":"Alyssa Lees, Vinh\u00a0Q Tran, Yi Tay, Jeffrey Sorensen, Jai Gupta, Donald Metzler, and Lucy Vasserman. 2022. A new generation of perspective api: Efficient multilingual character-level transformers. arXiv preprint arXiv:2202.11176 (2022)."},{"key":"e_1_3_2_1_19_1","volume-title":"Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083","author":"Madry Aleksander","year":"2017","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2017. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017)."},{"key":"e_1_3_2_1_20_1","volume-title":"Transfer Attacks Revisited: A Large-Scale Empirical Study in Real Computer Vision Settings. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 1423\u20131439","author":"Mao Yuhao","year":"2022","unstructured":"Yuhao Mao, Chong Fu, Saizhuo Wang, Shouling Ji, Xuhong Zhang, Zhenguang Liu, Jun Zhou, Alex\u00a0X Liu, Raheem Beyah, and Ting Wang. 2022. Transfer Attacks Revisited: A Large-Scale Empirical Study in Real Computer Vision Settings. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 1423\u20131439."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"e_1_3_2_1_22_1","volume-title":"Cross-domain transferability of adversarial perturbations. Advances in Neural Information Processing Systems 32","author":"Naseer Muhammad\u00a0Muzammal","year":"2019","unstructured":"Muhammad\u00a0Muzammal Naseer, Salman\u00a0H Khan, Muhammad\u00a0Haris Khan, Fahad Shahbaz\u00a0Khan, and Fatih Porikli. 2019. Cross-domain transferability of adversarial perturbations. Advances in Neural Information Processing Systems 32 (2019)."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP51992.2021.00023"},{"key":"e_1_3_2_1_24_1","volume-title":"Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277","author":"Papernot Nicolas","year":"2016","unstructured":"Nicolas Papernot, Patrick McDaniel, and Ian Goodfellow. 2016. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277 (2016)."},{"key":"e_1_3_2_1_25_1","volume-title":"Proceedings of the 28th USENIX Security Symposium. USENIX Association, 729\u2013746","author":"Pendlebury Feargus","year":"2019","unstructured":"Feargus Pendlebury, Fabio Pierazzi, Roberto Jordaney, Johannes Kinder, Lorenzo Cavallaro, 2019. TESSERACT: Eliminating experimental bias in malware classification across space and time. In Proceedings of the 28th USENIX Security Symposium. USENIX Association, 729\u2013746."},{"key":"e_1_3_2_1_26_1","volume-title":"Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556","author":"Simonyan Karen","year":"2014","unstructured":"Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014)."},{"key":"e_1_3_2_1_27_1","volume-title":"Generalized Transferability for Evasion and Poisoning Attacks. In 27th USENIX Security Symposium (USENIX Security 18)","author":"Suciu Octavian","year":"2018","unstructured":"Octavian Suciu, Radu Marginean, Yigitcan Kaya, Hal\u00a0Daume III, and Tudor Dumitras. 2018. When Does Machine Learning FAIL? Generalized Transferability for Evasion and Poisoning Attacks. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, 1299\u20131316."},{"key":"e_1_3_2_1_28_1","volume-title":"Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204","author":"Tram\u00e8r Florian","year":"2017","unstructured":"Florian Tram\u00e8r, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. 2017. Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204 (2017)."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01482"},{"key":"e_1_3_2_1_30_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Wu Ruoyu","year":"2022","unstructured":"Ruoyu Wu, Taegyu Kim, Dave\u00a0Jing Tian, Antonio Bianchi, and Dongyan Xu. 2022. { DnD} : A { Cross-Architecture} Deep Neural Network Decompiler. In 31st USENIX Security Symposium (USENIX Security 22). 2135\u20132152."},{"key":"e_1_3_2_1_31_1","volume-title":"USENIX Security Symposium. 443\u2013460","author":"Xiao Qixue","year":"2019","unstructured":"Qixue Xiao, Yufei Chen, Chao Shen, Yu Chen, and Kang Li. 2019. Seeing is Not Believing: Camouflage Attacks on Image Scaling Algorithms.. In USENIX Security Symposium. 443\u2013460."},{"volume-title":"Security risks in deep learning implementations. In 2018 IEEE Security and privacy workshops (SPW)","author":"Xiao Qixue","key":"e_1_3_2_1_32_1","unstructured":"Qixue Xiao, Kang Li, Deyue Zhang, and Weilin Xu. 2018. Security risks in deep learning implementations. In 2018 IEEE Security and privacy workshops (SPW). IEEE, 123\u2013128."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00032"},{"key":"e_1_3_2_1_34_1","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition. 15115\u201315125","author":"Zhang Jie","year":"2022","unstructured":"Jie Zhang, Bo Li, Jianghe Xu, Shuang Wu, Shouhong Ding, Lei Zhang, and Chao Wu. 2022. Towards efficient data free black-box adversarial attack. In Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition. 15115\u201315125."}],"event":{"name":"RAID 2023: The 26th International Symposium on Research in Attacks, Intrusions and Defenses","acronym":"RAID 2023","location":"Hong Kong China"},"container-title":["Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3607199.3607227","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3607199.3607227","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:37:35Z","timestamp":1750178255000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3607199.3607227"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,16]]},"references-count":34,"alternative-id":["10.1145\/3607199.3607227","10.1145\/3607199"],"URL":"https:\/\/doi.org\/10.1145\/3607199.3607227","relation":{},"subject":[],"published":{"date-parts":[[2023,10,16]]},"assertion":[{"value":"2023-10-16","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}