What problem does this paper attempt to address?

### Problems the paper attempts to solve What this paper attempts to solve are the limitations of existing adversarial attack methods. That is, these methods usually can only produce a single adversarial effect under specific conditions and are unable to flexibly deal with different transformations of the input image. Specifically, the paper introduces a new form of adversarial attack - **Transformation - Dependent Adversarial Attacks**. This attack adds a carefully designed tiny perturbation to an input image, enabling the image to trigger multiple controllable misclassifications after undergoing different transformations. ### Key point summary 1. **Problem background**: - Existing adversarial attacks mainly focus on generating imperceptible perturbations to make the model misclassify the input image. - In practical applications, the input image may be transformed due to changes in viewing angles, lighting conditions, and resolution, and these transformations may affect the prediction results of the model. 2. **Research motivation**: - Traditional adversarial attack methods usually assume that the perturbation is static and do not consider the transformation of the input image. - The author proposes a new form of attack, namely transformation - dependent adversarial attack, which can trigger different misclassifications according to the transformation of the input image. 3. **Main contributions**: - **Introducing new concepts**: Proposed transformation - dependent adversarial attacks, in which a single perturbation can embed multiple target attacks, and these attacks can be triggered by performing predefined transformations on the input image. - **Experimental verification**: Through extensive experiments, demonstrated the effectiveness and diversity of this attack under different models and transformation types. - **Analyzing influencing factors**: Explored the influence of factors such as the choice of transformation function, model architecture, and the number of embedded target attacks on the attack effect. - **Defense challenges**: Showed that this new form of attack can bypass existing defense methods, emphasizing the deficiencies of current defense techniques in the face of such multi - faceted, chameleon - like perturbations. ### Formulas and technical details 1. **Basic form of adversarial attack**: - Generation form of adversarial samples: \( x+\delta \), where \( \delta \) is the adversarial perturbation. - Optimization problem of target adversarial attack: \[ \min_{\delta} L(f(x + \delta), y^*) \quad \text{s.t.} \quad \|\delta\|_p \leq \epsilon \] where \( L \) is the loss function, \( y^* \) is the target label, and \( \|\delta\|_p \leq \epsilon \) represents the size limit of the perturbation. 2. **Transformation - dependent adversarial attack**: - The transformation function \( T(x; \theta) \) transforms the input image \( x \) according to the transformation parameter \( \theta \). - Optimization problem of transformation - dependent target attack: \[ \min_{\delta} \sum_{i} L(f(T(x + \delta; \theta_i)), y_i^*) \quad \text{s.t.} \quad \|\delta\|_p \leq \epsilon \] where \( \theta_i \) and \( y_i^* \) are the \( i \)-th transformation parameter and the corresponding target label respectively. 3. **Transformation function**: - **Scaling**: \( T(x; \theta = S) \) scales the image \( x \) to a new resolution of \( SH\times SW \). - **Blurring**: \( T(x; \theta = \sigma) \) performs blurring processing using a Gaussian kernel with a standard deviation of \( \sigma \). - **Gamma correction**: \( T(x; \theta) \)