Harnessing the Computation Redundancy in ViTs to Boost Adversarial Transferability

1. Although all proposed techniques aim to exploit computational redundancy in ViTs for improved transferability of adversarial examples, the interconnections among them are not strong. Each technique targets a different aspect or type of redundancy and differs significantly in its implementation. This diversity may give the impression that the work lacks a clear central idea. The authors should refine the writing to better unify these techniques under a coherent framework.

A:

In this paper, we analyze the computational redundancy of each module in ViT, and carefully design the strategies to leverage the redundancy to improve the diversity, thus boost the adversarial transferability.

Our proposed stratgies can be categorized into two categorizes, including self-ensemble (attention weight dropping, attention head permutation, ghost MoE) and regularization-based (clean token regularization, robust tokens) strategies. The self-ensemble strategies are designed by exploiting the redundancy within the model, while the regularization strategies are build on the externel parameters.

2. Section 4 is not clearly written in my view. For instance, in Equation (9), is f the surrogate model? Since this involves training, the relevant settings must be clearly described.

A: In Eq. (9) of Section 4, we target at searching for a good combination M of our proposed strategy to redundize the surrogate model f to maximize the loss function value on the adversarial example x+$\delta$.

We will make it clear in our revision.

3. Regarding the experiments in Figure 6, I would like to know the clean accuracy of each model on the original test set, and how much the accuracy drops under adversarial attacks, rather than only showing the accuracy on adversarial examples.

A: To deploy the LLM for image classification, we use the open-book setting, that we prompt the LLM with the image with 1000 labels from ImageNet-1K. To avoid the overflow of capcable window length, i.e., LLaVA and DeepSeek (4K), we respectively prompt the LLM to choose the most likely answer from 1000/4=250 labels, then choose the only one from four as the final classification result.

We report the attack success rate (ASR ↑) for each method on the LLMs. The "Benign" column indicates the ASR when using clean images, so the clean accuracy is 1−ASR. Accordingly, the accuracy drops under adversarial attacks are as follows:

• LLaVA: 24.0% accuracy on clean images; drops by 8.9%–13.9% under adversarial attacks.
• Qwen: 76.0% → drops by 27.5%–53.1%
• InternVL: 57.2% → drops by 17.9%–35.1%
• DeepSeek: 26.2% → drops by 8.0%–13.7%

4. The adversarial examples are claimed to be imperceptible to human vision, but there is no concrete evidence or visualization to support this claim in either the main text or the appendix. The authors should clearly specify the attack strength settings and provide corresponding visualizations.

A: Thanks for your suggestion. In our paper, we follow the previous standard setting to set the $\epsilon$ as 16/255, the number of iterations $T$ as 10, and use the L_\inf distance as the perturbation measurement. Due to the limit of rebuttal format, we would provide visualization examples in our revision.

1. In our paper, we refer the computational redundancy within ViTs as the operations that ViT do or can do are not essentail to do harm the task performance, i.e., maintain the performance. Due to this point, we think the attention head permutation and the clean token regularization belong to the methods that leverage the computational redundancy to improve the adversarial transferability.

For attention head permutation, the computational redundancy exits in the similarity between different attetion weights, which motivates us to permute part of them to improve the attention diversity thus enhancing the adversarial transferability.

For clean token regularization, the computational redundancy arises due to the input redundancy, where appending some virtue tokens would not do harm to the performance. This motivates us to introduce clean tokens for gradient regularization for improving the performance.

2. (1) The core insight behind the improved adversarial transferability lies in diversity. In contrast to prior works that enhance input diversity, we focus on diversifying the computational structure of the surrogate model. To ensure the effectiveness of adversarial example generation, the surrogate model must retain a reasonable classification capability. We achieve this by exploiting the inherent redundancy in ViT computations to diversify the surrogate model’s architecture, thereby improving transferability.

(2) To enhance diversity, we leverage the redundancy of attention weights in ViTs by randomly masking a subset of them. This structural perturbation improves adversarial transferability by introducing variation in the model’s internal computations.

(3) To further diversify the FFN computation, we leverage its computational redundancy by transforming the standard FFN into a Mixture-of-Experts (MoE) structure composed of sparse subnetworks. This promotes architectural diversity and contributes to more transferable adversarial attacks.

3. As you suggested, we conduct experiments as follows. Results suggest that our method consistently achieves the state-of-the-art performance against different black-box models.

4. Thank you for your suggestion. Here, we provide the results of our method along with ablation experiments where Attention Sparsity Manipulation, Attention Head Permutation, and Robust Tokens Optimization are each removed individually. The results clearly show that removing any of these operations leads to a noticeable drop in the average black-box attack performance.

Thank you for your suggestion. Here, we provide the results of our method along with ablation experiments where Attention Sparsity Manipulation, Attention Head Permutation, and Robust Tokens Optimization are each removed individually. The results clearly show that removing any of these operations leads to a noticeable drop in the average black-box attack performance.

Due to time constraints, experiments involving removal of other operations and other ablation studies are not yet completed. We will include these results in the final version.

5. For Question1: Thanks for your suggestion. We conduct experiments on attacking suggested defenses using adversarial examples generated using two attacks, each one corresponds to the best attack within the model-agonistic and vit-specific attacks, under the ensemble setting (ViT-B and PiT). As shown in the table, our method consistently achieves the best attack performance versus all baselines.

6. For Question 2: On the one hand, in our experiments, we choose the hyper-parameters from the study in ViTs and apply them to the experiments using the PiTs and Swin. As indicated by the experiments, these parameters collecting from one source model is generalizable to other models.

On the other hand, we can use the proposed methods with different hyper-paramters to build the candidate pool, and leverage the optimization strategy proposed in Sec 4 to automatically search for the best equipment.

Thank you for your rebuttal. After carefully reading your reply, I think the scope of this paper, the Computation Redundancy is still too large for me. It seems that any technique can be attributed to this category. I suggest that authors revise my proposed suggestions into the revised verson of their paper.

Thank you again for the authors' rebuttal. I increase my score to borderline accept.

1. Thank you for the thorough feedback. We realized our wording obscured the key point: our goal is not to increase redundancy, but to leverage the redundancy that already exists in a ViT by sampling from it during gradient estimation. Below we clarify this and address each concern in turn.

(1) Core claim

If a subset of computations can be disabled with no drop in clean accuracy, that subset is a redundancy pool.
Randomly varying which members of that pool are active lets the attacker see an implicit ensemble. Ensemble‐style gradient generated by redundant operation boost black-box transfer.*

Hence we never promote a “more-redundancy-is-always-better” rule.
What we do is

1. Identify under-utilized paths in attack example generation,
2. Toggle them stochastically,
3. Convert the latent redundancy into diversity that improves transfer.

(2) Attention-sparsity experiment

Our Figure 1 shows a rise-then-fall curve:

• Moderate masking (≈30–60 %) → many alternative subnetworks → large effective ensemble → high transfer.
• Extreme masking (≈90 %) → ensemble shrinks and capacity erodes → low transfer.

Thus the experiment does not say “less redundancy helps”; it shows that sampling a moderate portion of the redundancy pool maximizes diversity without harming signal.

(3) Other techniques follow the same recipe

When we keep the stochasticity but remove the redundant pool (e.g. permuting all heads identically), the gains disappear, indicating the benefit comes from sampling functionally distinct subnetworks, not mere gradient smoothing.

2. We agree that explaining why redundancy aids transfer is important.
   Although our study is chiefly empirical, we now provide a concise conceptual model and targeted diagnostics that support it.

Latent ensemble. Redundant ViT paths form an implicit set of subnetworks $\{f_{\theta^{(k)}}\}$ that all predict correctly.

Gradient smoothing & alignment. Stochastic toggling yields the gradient, which averages away idiosyncratic directions while retaining the component common to many subnetworks, exactly the component most likely shared with an unseen target model.

higher gradient–alignment ⇒ better black-box transfer.

Computational redundancy supplies a free ensemble; sampling over it smooths gradients and aligns them with those of other models, thereby boosting transfer. We believe these additions satisfy the request for deeper insight while keeping the paper focused and concise.

3. Thanks for your suggestion. We follow previous work to conduct experiments on ImageNet-1K, which is a gold standard scalable dataset to verify the effectiveness of the proposed attack methods and meets the requirement of real-world scenerios.

We conduct additional experiments on attacking different defenses using adversarial examples generated from ViT-B/16 surrogate under various methods. As shown in the table, our method consistently achieves the best attack performance versus all baselines.

Hi reviewer eQUe , we have attached all our response here. Please let us know if you have any questions or concerns :) Thanks for all your efforts in reviewing our paper and giving us suggestions to improve it!!

For Question 1&Question 2:

A: Vision Transformers (ViTs) contain computational redundancy—extra capacity whose removal barely affects clean accuracy. We repurpose this “free” space to boost adversarial transferability, i.e., the ability of crafted examples to fool a wide range of surrogate models.

The reason why we need operations those are redundant and will not harm the original task performance is that we still need a "good" model to generate adversarial examples. If the model performs badly on the given task, the adversarial transferability of the generated adversarial example is also degraded due to the inaccurate gradient estimation towards loss maximum.

Taking the mentioned two operations as example:

For clean token injection (CTI): Injecting a few unperturbed tokens scarcely changes ViT accuracy (100 % → 99.7 % on our test set), confirming surplus capacity to be exploited. Different from previous techniques which aim to generate self-ensemble models, these fixed tokens act as a gradient regularizer respect to the adversarial tokens, producing smoother, more transferable perturbations. A similar idea is also explored in CNN-based adversarial attacks, which mix-up the features of clean images to smooth the gradient for adversarial perturbation generation to boost the adversarial transferability. [a]

For Robust-token optimization (RTO): Building on CTI, RTO treats the injected tokens as dynamic, image-specific weights. During the attack we solve a min–max game that jointly optimizes these tokens and the pixel-level perturbation, effectively robustifying the surrogate before launching the final attack. Theory [b] and practice both suggest that attacking this strengthened model yields adversarial examples with even higher cross-model success.

Along with other proposed techniques in our paper, the introduce of these operations into the surrogate ViT will nor harm the model on the task, which guarantees the accuracy of gradient estimation towards loss maximum during attacks. The introduce of these operations additionally provides us space to boost the adversarial transferability by introducing more randomness&diversity (attention weight masking, attention head permutation, ghost MoE), regularization (clean token injection), and more (dynamic and free) parameters to help optimization (robust token optimization)

[a] Byun, Junyoung, et al. "Introducing competition to boost the transferability of targeted adversarial examples through clean feature mixup." Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2023.
[b] JoeyBose,GauthierGidel,HugoBerard,AndreCianflone,PascalVincent,SimonLacoste-Julien, and Will Hamilton. Adversarial example games. Advances in neural information processing systems,33:8921–8934,2020.

For Question 3: ViTs have far more parameters than comparably accurate CNNs, and—crucially—those parameters are evenly spread across self-attention layers rather than tied up in shared convolutional filters. This yields a larger, more isotropic redundant subspace that we can exploit.
Besides, CNN weight sharing and locality impose strong priors that constrain gradient directions; redundant filters often correlate along spatial dimensions, so “free” capacity for adversarial transferability improvement is not always accessible easily. ViTs rely less on such priors and more on sheer scale plus pre-training data, leaving their extra dimensions comparatively unconstrained and easier to co-opt for transfer.
Last, compared with CNNs, ViTs are pre-trained on much more large scale dataset, i.e., the LAION dataset, which makes it more redundant compared with the ImageNet-pretrained CNNs.

To isolate the effect of computational redundancy, we removed the same proportion of features in a Vision Transformer (ViT-B/16) and a convolutional network of comparable size (ResNeXt-101-32×8d).

In the ViT we zeroed out an equal share of attention weights. In the ResNeXt we zeroed out the corresponding share of convolutional feature maps. All other attack settings follow those in the main paper.

Tab. Attack Success Rate (%) on each victim model when applying the dropping operation (10%) on ViT and ResNeXt respectively.

First, on benign samples, when applying the dropping operations, ViT get the classification accuracy of 99.9%, while the ResNeXt get the classification accuracy of 95.9%.

Because the CNN’s accuracy declines more sharply, its computations are less redundant and therefore more sensitive to perturbation. Conversely, the ViT can shed the same amount of computation with almost no loss, indicating higher redundancy—which we convert into diversity/regularisation that enhances adversarial transferability as indicated by the table results.

These results support our claim: the richer computational redundancy in Vision Transformers can be exploited more effectively than in CNNs to boost transfer attacks.

Hi Reviewer eQUe, We have just updated the supporting experiments and added some theoretical insights to further clarify Weakness 2 and Question 3. If you have any further questions about Weakness 2, Question 3, or any other aspect of the paper, please let us know — we’d be happy to clarify.

Thanks again for your help and careful review with valuable suggestions!

Thank you for your thoughtful comments and raising the score!! We greatly appreciate your suggestions for improving the quality of our paper.

We are actively working on it and will update the response as well as the revision with the redundancy experiment comparing ViT and CNN as soon as possible.

Thank you again for your careful review and valuable insights.

1. Thank you for the insightful question.

The performance of the model on benign samples is presented in the following table. The redundancy enables us to generate a set of subnetworks of the original model, which only has a minor task performnace drop. The original attack pipeline is actually transformed into attacking the self-ensemble models, thus improving the adversarial transferability significantly.

Note: A.S.M. = Attention Sparsity Manipulation, A.H.P. = Attention Head Permutation, C.T.R. = Clean Token Regularization, MoE = Ghost MoE Diversification, R.T.O. = Robust Token Optimization. These abbreviations are used only in this table for brevity.

Among the operations, Clean Token Regularization introduces minimal degradation, as it concatenates clean image features during inference, which has little impact when predicting on clean inputs.

2. We write $f_{\theta}$ for a Vision Transformer whose parameters are partitioned into blocks $(\theta_{1},\dots,\theta_{L})$. For an input–label pair $(x,y)$ the cross‑entropy loss is $\mathcal{L}(x,y)=\text{CE}\!\bigl(f_{\theta}(x),y\bigr)$. The symbol $d_{\ell}$ denotes the number of parameters in block $\ell$. For each block we define $\mathcal{S}(\ell) \=\ \frac{1}{d_{\ell}}\operatorname{Tr}(\nabla_{\theta_{\ell}}^{2}\mathcal{L})$ , i.e. the trace of the block‑wise Hessian normalised by its dimension. We set $g(x)=\nabla_{x}\mathcal{L}(x,y)$. An adversarial perturbation is denoted $\delta$ and is constrained by $\|\delta\|\le\varepsilon$.

1) Redundancy ⇒ Low Sensitivity

Lemma 1 (Redundancy bound).
For any two blocks i, j that receive the same parameter perturbation Δθ, $\bigl|\mathcal{L}(f_{\theta+Δθ_{(i)}})-\mathcal{L}(f_{\theta+Δθ_{(j)}})\bigr| \;\le\; \|Δθ\|_{2}\,\bigl|\mathcal{S}(i)-\mathcal{S}(j)\bigr|.$

In ViTs, blocks beyond the first ≈30 % show an order‑of‑magnitude lower 𝒮—they are computationally redundant.

2) Randomising Redundant Parts Flattens Curvature

Let T(·;ω) be a random operation (head permutation, sparsity mask, ghost expert, etc.) applied only to low‑𝒮 blocks and define
$\tilde{f_{\theta}}(x) = f_{\theta}(T(x;ω)), \qquad ω∼𝒰.$

Proposition 2 (Spectral‑Hessian contraction).

Flatter expected curvature → larger inner‑max loss for any victim model sharing gradient directions with f_θ.

3) Global Transferability Lower Bound

Theorem 3.

Because Proposition 2 reduces the denominator while leaving σ_min(g) intact, the bound strictly increases, ensuring stronger black‑box success.

Key Take‑aways

1) Low‑𝒮 ViT blocks (redundant parts) can be perturbed with negligible accuracy loss — Lemma 1.
2)  Randomising those blocks flattens curvature — Proposition 2.
3) Flatter curvature gives a provable boost in transferable attack strength — Theorem 3.

Therefore, exploiting computational redundancy in ViTs is theoretically sufficient—and empirically necessary—for high adversarial transferability.

3. The insight behind the permutation of attention heads is that the attention weights computed by different attention heads are similar due to similar interest of area. It is different from rearranging the values, which breaks the correspondance between the Key and Value within different attention heads.

As shown in Fig. 3, the adversarial transferability while permutating under 10% attention heads still performes better than the baseline method MI-FGSM. But due to limited number of attention heads permutated, there are minor improvement due to the limited diversity introduced.

4. Thanks for your suggestion. We conduct experiments on attacking different defenses using adversarial examples generated from ViT-B/16 surrogate under various methods. As shown in the table, our method consistently achieves the best attack performance versus all baselines.

5. Thank you for your suggestion. Here, we provide the results of our method along with ablation experiments where Attention Sparsity Manipulation, Attention Head Permutation, and Robust Tokens Optimization are each removed individually. The results clearly show that removing any of these operations leads to a noticeable drop in the average black-box attack performance.

Due to time constraints, experiments involving removal of other operations and comparisons with or without the online learning-based strategy are not yet completed. We will include these results in the final version.

6. We report the attack success rate (ASR ↑) for each method on the LLMs. The "Benign" column indicates the ASR when using clean images.

To deploy the LLM for image classification, we use the open-book setting, that we prompt the LLM with the image with 1000 labels from ImageNet-1K. To avoid the overflow of capcable window length, i.e., LLaVA and DeepSeek (4K), we respectively prompt the LLM to choose the most likely answer from 1000/4=250 labels, then choose the only one from four as the final classification result.

Hi, we have attached our response here. Please let us know if you have any questions or concerns :) Thanks for all your efforts in reviewing our paper and giving us suggestions to improve it!!