Weiwei Feng,Nanqing Xu,Tianzhu Zhang,Yongdong Zhang,Feng Wu

DOI: https://doi.org/10.1109/tmm.2024.3349925

IF: 7.3

2024-01-01

IEEE Transactions on Multimedia

Abstract:Adversarial examples are well known to pose a security risk, when attacking deep learning models. While, most of existing adversarial attacks are designed to attack a single deep learning-based task, such as image classification. In practical scenarios, it is more necessary to study adversarial examples transferring across different vision tasks. However, it is challenging to create cross-task adversarial examples that can destroy multiple vision tasks at once due to unavailable various task-specific models and loss functions for attackers. To deal with this problem, we propose a Dual Attention-Guided Method (DAGM) for crafting cross-task adversarial examples by designing a spatial attention module and a channel attention module to capture overlapping discriminative regions and features that contribute to various tasks. Then we craft cross-task adversarial examples via reducing the dispersion ( i.e. , standard deviation) of feature maps re-weighted by both attention modules, which can destroy the overlapping discriminative regions and features for various tasks. Furthermore, to present theoretical explanation, we systematically analyze our method, and rigorously prove that both attention modules can provide better effectiveness of our adversarial examples, compared with existing cross-task adversarial attacks. Extensive experiments on two datasets demonstrate that our method can significantly degrade the performance of various tasks, even online CV APIs, and consistently outperform state-of-the-art methods by a large margin.

Jiacheng Guo,Tianyun Zhang,Lei Li,Haochen Yang,Hongkai Yu,Minghai Qin

2024-11-27

Abstract:Deep Neural Networks exhibit inherent vulnerabilities to adversarial attacks, which can significantly compromise their outputs and reliability. While existing research primarily focuses on attacking single-task scenarios or indiscriminately targeting all tasks in multi-task environments, we investigate selectively targeting one task while preserving performance in others within a multi-task framework. This approach is motivated by varying security priorities among tasks in real-world applications, such as autonomous driving, where misinterpreting critical objects (e.g., signs, traffic lights) poses a greater security risk than minor depth miscalculations. Consequently, attackers may hope to target security-sensitive tasks while avoiding non-critical tasks from being compromised, thus evading being detected before compromising crucial functions. In this paper, we propose a method for the stealthy multi-task attack framework that utilizes multiple algorithms to inject imperceptible noise into the input. This novel method demonstrates remarkable efficacy in compromising the target task while simultaneously maintaining or even enhancing performance across non-targeted tasks - a criterion hitherto unexplored in the field. Additionally, we introduce an automated approach for searching the weighting factors in the loss function, further enhancing attack efficiency. Experimental results validate our framework's ability to successfully attack the target task while preserving the performance of non-targeted tasks. The automated loss function weight searching method demonstrates comparable efficacy to manual tuning, establishing a state-of-the-art multi-task attack framework.

Cryptography and Security,Computer Vision and Pattern Recognition

Bingyu Liu,Jiani Hu,Weihong Deng

DOI: https://doi.org/10.3934/mbe.2023605

2023-06-14

Abstract:The advancement of deep learning has resulted in significant improvements on various visual tasks. However, deep neural networks (DNNs) have been found to be vulnerable to well-designed adversarial examples, which can easily deceive DNNs by adding visually imperceptible perturbations to original clean data. Prior research on adversarial attack methods mainly focused on single-task settings, i.e., generating adversarial examples to fool networks with a specific task. However, real-world artificial intelligence systems often require solving multiple tasks simultaneously. In such multi-task situations, the single-task adversarial attacks will have poor attack performance on the unrelated tasks. To address this issue, the generation of multi-task adversarial examples should leverage the generalization knowledge among multiple tasks and reduce the impact of task-specific information during the generation process. In this study, we propose a multi-task adversarial attack method to generate adversarial examples from a multi-task learning network by applying attention distraction with gradient sharpening. Specifically, we first attack the attention heat maps, which contain more generalization information than feature representations, by distracting the attention on the attack regions. Additionally, we use gradient-based adversarial example-generating schemes and propose to sharpen the gradients so that the gradients with multi-task information rather than only task-specific information can make a greater impact. Experimental results on the NYUD-V2 and PASCAL datasets demonstrate that the proposed method can improve the generalization ability of adversarial examples among multiple tasks and achieve better attack performance.

Minxuan Lv,Chengwei Dai,Kun Li,Wei Zhou,Songlin Hu

DOI: https://doi.org/10.18653/v1/2023.emnlp-main.340

2023-01-01

Abstract:Neural network models are vulnerable to adversarial examples, and adversarial transferability further increases the risk of adversarial attacks. Current methods based on transferability often rely on substitute models, which can be impractical and costly in real-world scenarios due to the unavailability of training data and the victim model’s structural details. In this paper, we propose a novel approach that directly constructs adversarial examples by extracting transferable features across various tasks. Our key insight is that adversarial transferability can extend across different tasks. Specifically, we train a sequence-to-sequence generative model named CT-GAT (Cross-Task Generative Adversarial Attack) using adversarial sample data collected from multiple tasks to acquire universal adversarial features and generate adversarial examples for different tasks.We conduct experiments on ten distinct datasets, and the results demonstrate that our method achieves superior attack performance with small cost.

Xuesong Chen,Xiyu Yan,Feng Zheng,Yong Jiang,Shu-Tao Xia,Yong Zhao,Rongrong Ji

DOI: https://doi.org/10.1109/CVPR42600.2020.01019

2020-01-01

Abstract:Almost all adversarial attacks in computer vision are aimed at pre-known object categories, which could be offline trained for generating perturbations. But as for visual object tracking, the tracked target categories are normally unknown in advance. However, the tracking algorithms also have potential risks of being attacked, which could be maliciously used to fool the surveillance systems. Meanwhile, it is still a challenging task that adversarial attacks on tracking since it has the free-model tracked target. Therefore, to help draw more attention to the potential risks, we study adversarial attacks on tracking algorithms. In this paper, we propose a novel one-shot adversarial attack method to generate adversarial examples for free-model single object tracking, where merely adding slight perturbations on the target patch in the initial frame causes state-of-the-art trackers to lose the target in subsequent frames. Specifically, the optimization objective of the proposed attack consists of two components and leverages the dual attention mechanisms. The first component adopts a targeted attack strategy by optimizing the batch confidence loss with confidence attention while the second one applies a general perturbation strategy by optimizing the feature loss with channel attention. Experimental results show that our approach can significantly lower the accuracy of the most advanced Siamese network-based trackers on three benchmarks.

Zihan Li,Weibin Wu,Yuxin Su,Zibin Zheng,Michael R. Lyu

DOI: https://doi.org/10.1609/aaai.v37i2.25239

2023-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Despite the excellent performance, deep neural networks (DNNs) have been shown to be vulnerable to adversarial examples. Besides, these examples are often transferable among different models. In other words, the same adversarial example can fool multiple models with different architectures at the same time. Based on this property, many black-box transfer-based attack techniques have been developed. However, current transfer-based attacks generally focus on the cross-architecture setting, where the attacker has access to the training data of the target model, which is not guaranteed in realistic situations. In this paper, we design a Cross-Domain Transfer-Based Attack (CDTA), which works in the cross-domain scenario. In this setting, attackers have no information about the target model, such as its architecture and training data. Specifically, we propose a contrastive spectral training method to train a feature extractor on a source domain (e.g., ImageNet) and use it to craft adversarial examples on target domains (e.g., Oxford 102 Flower). Our method corrupts the semantic information of the benign image by scrambling the outputs of both the intermediate feature layers and the final layer of the feature extractor. We evaluate CDTA with 16 target deep models on four datasets with widely varying styles. The results confirm that, in terms of the attack success rate, our approach can consistently outperform the state-of-the-art baselines by an average of 11.45% across all target models. Our code is available at https://github.com/LiulietLee/CDTA.

Quanxin Zhang,Yuhang Zhao,Yajie Wang,Thar Baker,Jian Zhang,Jingjing Hu

DOI: https://doi.org/10.1016/j.comnet.2020.107388

IF: 5.493

2020-10-01

Computer Networks

Abstract:<p>Deep neural network is the main research branch in artificial intelligence and suitable for many decision-making fields. Autonomous driving and unmanned vehicle often depend on deep neural networks for accurate and reliable detection, classification, and ranging of surrounding objects in real on-road environments, either locally or by swarm intelligence among distributed nodes via 5G channel. But, it has been demonstrated that deep neural networks are vulnerable to well-designed adversarial examples that are imperceptible to human eyes in computer vision tasks. It is valuable to study the vulnerability for enhancing the robustness of neural networks. However, existing adversarial examples against object detection models are image-dependent, so in this paper, we implement adversarial attacks against object detection models using universal perturbations. We find the cross-task, cross-model, and cross-dataset transferability of universal perturbations, we train universal perturbations generator firstly and then add the universal perturbations to the target images in two ways: resizing and pile-up, in order to solve the problem that universal perturbations cannot be directly applied to attack object detection models. We use the transferability of universal perturbations to attack black-box object detection models. In this way, the time cost of generating adversarial examples is reduced. A series of experiments are conducted on PASCAL VOC and MS COCO datasets demonstrating the feasibility of cross-task attacks and proving the effectiveness of our attack on two representative object detectors: regression-based models like YOLOv3 and proposal-based models like Faster R-CNN.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Tianshi Wang,Lei Zhu,Zheng Zhang,Huaxiang Zhang,Junwei Han

DOI: https://doi.org/10.1109/tcsvt.2023.3263054

IF: 5.859

2023-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Deep cross-modal hashing has achieved excellent retrieval performance with the powerful representation capability of deep neural networks. Regrettably, current methods are inevitably vulnerable to adversarial attacks, especially well-designed subtle perturbations that can easily fool deep cross-modal hashing models into returning irrelevant or the attacker’s specified results. Although adversarial attacks have attracted increasing attention, there are few studies on specialized attacks against deep cross-modal hashing. To solve these issues, we propose a targeted adversarial attack method against deep cross-modal hashing retrieval in this paper. To the best of our knowledge, this is the first work in this research field. Concretely, we first build a progressive fusion module to extract fine-grained target semantics through a progressive attention mechanism. Meanwhile, we design a semantic adaptation network to generate the target prototype code and reconstruct the category label, thus realizing the semantic interaction between the target semantics and the implicit semantics of the attacked model. To bridge modality gaps and preserve local example details, a semantic translator seamlessly translates the target semantics and then embeds them into benign examples in collaboration with a U-Net framework. Moreover, we construct a discriminator for adversarial training, which enhances the visual realism and category discrimination of adversarial examples, thus improving their targeted attack performance. Extensive experiments on widely tested cross-modal retrieval datasets demonstrate the superiority of our proposed method. Also, transferable attacks show that our generated adversarial examples have well generalization capability on targeted attacks. The source codes and datasets are available at https://github.com/tswang0116/TA-DCH.

engineering, electrical & electronic

Lijun Zhang,Xiao Liu,Kaleel Mahmood,Caiwen Ding,Hui Guan

2023-12-28

Abstract:Multi-Task Learning (MTL) involves developing a singular model, known as a multi-task model, to concurrently perform multiple tasks. While the security of single-task models has been thoroughly studied, multi-task models pose several critical security questions, such as 1) their vulnerability to single-task adversarial attacks, 2) the possibility of designing attacks that target multiple tasks, and 3) the impact of task sharing and adversarial training on their resilience to such attacks. This paper addresses these queries through detailed analysis and rigorous experimentation. First, we explore the adaptation of single-task white-box attacks to multi-task models and identify their limitations. We then introduce a novel attack framework, the Gradient Balancing Multi-Task Attack (GB-MTA), which treats attacking a multi-task model as an optimization problem. This problem, based on averaged relative loss change across tasks, is approximated as an integer linear programming problem. Extensive evaluations on MTL benchmarks, NYUv2 and Tiny-Taxonomy, demonstrate GB-MTA's effectiveness against both standard and adversarially trained multi-task models. The results also highlight a trade-off between task accuracy improvement via parameter sharing and increased model vulnerability due to enhanced attack transferability.

Machine Learning

Yuxuan Wang,Jiakai Wang,Zinxin Yin,Ruihao Gong,Jingyi Wang,Aishan Liu,Xianglong Liu

DOI: https://doi.org/10.1145/3503161.3547989

2022-01-01

Abstract:Vision transformers (ViTs) are prevailing among several visual recognition tasks, therefore drawing intensive interest in generating adversarial examples against them. Different from CNNs, ViTs enjoy unique architectures, e.g., self-attention and image-embedding, which are commonly-shared features among various types of transformer-based models. However, existing adversarial methods suffer from weak transferable attacking ability due to the overlook of these architectural features. To address the problem, we propose an Architecture-oriented Transferable Attacking (ATA) framework to generate transferable adversarial examples by activating the uncertain attention and perturbing the sensitive embedding.Specifically, we first locate the patch-wise attentional regions that mostly affect model perception, therefore intensively activating the uncertainty of the attention mechanism and confusing the model decisions in turn.Furthermore, we search the pixel-wise attacking positions that are more likely to derange the embedded tokens using sensitive embedding perturbation, which could serve as a strong transferable attacking pattern.By jointly confusing the unique yet widely-used architectural features among transformer-based models, we can activate strong attacking transferability among diverse ViTs. Extensive experiments on large-scale dataset ImageNet using various popular transformers demonstrate that our ATA outperforms other baselines by large margins (at least +15% Attack Success Rate). Our code is available at https://github.com/nlsde-safety-team/ATA

Xiaoyi Dong,Jiangfan Han,Dongdong Chen,Jiayang Liu,Huanyu Bian,Zehua Ma,Hongsheng Li,Xiaogang Wang,Weiming Zhang,Nenghai Yu

DOI: https://doi.org/10.1109/CVPR42600.2020.01291

2020-01-01

Abstract:Deep Neural Networks are vulnerable to adversarial samples, which can fool classifiers by adding small perturbations onto the original image. Since the pioneering optimization-based adversarial attack method, many following methods have been proposed in the past several years. However most of these methods add perturbations in a \"pixel-wise\" and \"global\" way. Firstly, because of the contradiction between the local smoothness of natural images and the noisy property of these adversarial perturbations, this \"pixel-wise\" way makes these methods not robust to image processing based defense methods and steganalysis based detection methods. Secondly, we find adding perturbations to the background is less useful than to the salient object, thus the \"global\" way is also not optimal. Based on these two considerations, we propose the first robust superpixel-guided attentional adversarial attack method. Specifically, the adversarial perturbations are only added to the salient regions and guaranteed to be same within each superpixel. Through extensive experiments, we demonstrate our method can preserve the attack ability even in this highly constrained modification space. More importantly, compared to existing methods, it is significantly more robust to image processing based defense and steganalysis based detection.

Yu Zhe,Rei Nagaike,Daiki Nishiyama,Kazuto Fukuchi,Jun Sakuma

2024-05-28

Abstract:Deep learning models are susceptible to adversarial attacks, where slight perturbations to input data lead to misclassification. Adversarial attacks become increasingly effective with access to information about the targeted classifier. In the context of multi-task learning, where a single model learns multiple tasks simultaneously, attackers may aim to exploit vulnerabilities in specific tasks with limited information. This paper investigates the feasibility of attacking hidden tasks within multi-task classifiers, where model access regarding the hidden target task and labeled data for the hidden target task are not available, but model access regarding the non-target tasks is available. We propose a novel adversarial attack method that leverages knowledge from non-target tasks and the shared backbone network of the multi-task model to force the model to forget knowledge related to the target task. Experimental results on CelebA and DeepFashion datasets demonstrate the effectiveness of our method in degrading the accuracy of hidden tasks while preserving the performance of visible tasks, contributing to the understanding of adversarial vulnerabilities in multi-task classifiers.

Machine Learning

Matthew Lawhon,Chengzhi Mao,Junfeng Yang

DOI: https://doi.org/10.48550/arXiv.2204.03714

2022-04-08

Abstract:Deep networks achieve state-of-the-art performance on computer vision tasks, yet they fail under adversarial attacks that are imperceptible to humans. In this paper, we propose a novel defense that can dynamically adapt the input using the intrinsic structure from multiple self-supervised tasks. By simultaneously using many self-supervised tasks, our defense avoids over-fitting the adapted image to one specific self-supervised task and restores more intrinsic structure in the image compared to a single self-supervised task approach. Our approach further improves robustness and clean accuracy significantly compared to the state-of-the-art single task self-supervised defense. Our work is the first to connect multiple self-supervised tasks to robustness, and suggests that we can achieve better robustness with more intrinsic signal from visual data.

Computer Vision and Pattern Recognition,Machine Learning

Shangxi Wu,Jitao Sang,Kaiyuan Xu,Jiaming Zhang,Jian Yu

DOI: https://doi.org/10.1145/3572843

2023-02-27

Abstract:This study provides a new understanding of the adversarial attack problem by examining the correlation between adversarial attack and visual attention change. In particular, we observed that: (1) images with incomplete attention regions are more vulnerable to adversarial attacks; and (2) successful adversarial attacks lead to deviated and scattered activation map. Therefore, we use the mask method to design an attention-preserving loss and a contrast method to design a loss that makes the model’s attention rectification. Accordingly, an attention-based adversarial defense framework is designed, under which better adversarial training or stronger adversarial attacks can be performed through the above constraints. We hope the attention-related data analysis and defense solution in this study will shed some light on the mechanism behind the adversarial attack and also facilitate future adversarial defense/attack model design.

computer science, information systems, theory & methods, software engineering

Yu Ran,Weijia Wang,Mingjie Li,Lin-Cheng Li,Yuan-Gen Wang,Jin Li

DOI: https://doi.org/10.1109/tcsvt.2023.3307150

IF: 5.859

2023-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Recent studies have shown that deep learning-based classifiers are vulnerable to malicious inputs, i.e., adversarial examples. A practical solution is to construct a perceptible but localized perturbation called patch, making the well-trained models misclassified. However, most existing patch-based adversarial attacks focus on designing patches with localized rectangles, squares, or grids, ignoring the effect of the non-local patch. In this paper, we propose a novel cross-shaped patch attack paradigm (CSPA), a simple yet efficient and effective adversarial attack in Black-box scenarios. Specifically, the cross-shaped patch consists of two line segments intersected and perpendicular to each other at the midpoint. These two line segments are designed to be sufficiently thin and long to reach the four corners of the input image nearly. Thus, the patch has a globalized perturbation capacity while preserving its continuousness. The content and location of cross-shaped patch are then iteratively optimized by a carefully contrived random search-based algorithm to maximize this global property. Comprehensive experiments are conducted on four benchmark datasets against various victim networks. The results show that the proposed CSPA outperforms the existing patch-based attacks regarding both attack success rate and query efficiency by a large margin. Specifically, compared with the baselines, CSPA increases the success rate by up to 20% on ImageNet and reaches 100% on the CIFAR-100 and CIFAR-10 datasets. Meanwhile, CSPA reduces the average number of queries by up to 7 times. Even for the white-box attack scenario, our designed cross-shaped patch can still be applicable, achieving state-of-the-art performance.

engineering, electrical & electronic

Zhankai Li,Weiping Wang,Jie Li,Kai Chen,Shigeng Zhang

DOI: https://doi.org/10.1109/tifs.2024.3352913

IF: 7.231

2024-02-06

IEEE Transactions on Information Forensics and Security

Abstract:Generating transferable adversarial examples is a challenging issue in adversarial attacks. Existing works on transferable adversarial examples generation mainly focus on models with similar architectures and trained on the same data domain. However, in practice, information such as the model architecture type and training data domain is unlikely to be revealed in deployed models. In this work, we introduce the Universal Cross-domain Generator (UCG), a pioneering framework for transferable adversarial examples that is the first to simultaneously address both cross-domain and cross-architecture challenges in adversarial attacks. The design of UCG is mainly inspired by two key observations. First, there exists some commonality in attention regions even when the structures of models are different. Second, there exists prevalent instability of intermediate-feature maps across cross-domain models. We accordingly design an attention transfer mechanism and a roughness abatement mechanism to enhance the cross-architecture and cross-domain transferability of the generated adversarial examples. Moreover, we propose an integrated transformation processing technique to improve the transferability of the generated adversarial examples under different transformations. Experimental results demonstrate that, compared with state-of-the-art solutions, UCG improves the average transferable attack success rate by 14.6%, 7.8%, and 7.9% in the cross-architecture task (convolutional neural networks (CNNs) to vision transformers (ViTs)), coarse-grained cross-domain tasks, and fine-grained cross-domain tasks, respectively.

computer science, theory & methods,engineering, electrical & electronic

Yunpeng Gong,Qingyuan Zeng,Dejun Xu,Zhenzhong Wang,Min Jiang

2024-09-26

Abstract:In recent years, despite significant advancements in adversarial attack research, the security challenges in cross-modal scenarios, such as the transferability of adversarial attacks between infrared, thermal, and RGB images, have been overlooked. These heterogeneous image modalities collected by different hardware devices are widely prevalent in practical applications, and the substantial differences between modalities pose significant challenges to attack transferability. In this work, we explore a novel cross-modal adversarial attack strategy, termed multiform attack. We propose a dual-layer optimization framework based on gradient-evolution, facilitating efficient perturbation transfer between modalities. In the first layer of optimization, the framework utilizes image gradients to learn universal perturbations within each modality and employs evolutionary algorithms to search for shared perturbations with transferability across different modalities through secondary optimization. Through extensive testing on multiple heterogeneous datasets, we demonstrate the superiority and robustness of Multiform Attack compared to existing techniques. This work not only enhances the transferability of cross-modal adversarial attacks but also provides a new perspective for understanding security vulnerabilities in cross-modal systems.

Computer Vision and Pattern Recognition

Zheng Wang,Hui Wei,Zhixiang Wang,Kewei Zhang,Jiaqi Hou,Yuanwei Liu,Xuemei Jia,Meng Huang,Ruimin Hu,Yinqiang Zheng,Hao Tang,Joey Tianyi Zhou

DOI: https://doi.org/10.21203/rs.3.rs-4729529/v1

2024-01-01

Abstract:The integration of cameras and artificial intelligence (AI) has revolutionized various applications, yet the robustness of these systems against physical adversarial attacks remains underexplored. Existing adversarial strategies typically target single imaging devices, resulting in limited efficacy and stability across different camera systems. Here, we present a camera-agnostic physical adversarial attack framework designed to challenge AI+camera synergies. Our approach introduces a novel adversarial optimization framework that consists of an attack module and a defense module. The attack module optimizes perturbations to maximize their effectiveness, while the defense module adjusts the parameters of a camera ISP proxy to minimize the attack's impact. These modules interact in an adversarial game, enhancing the stability of attacks across multiple camera types. Through extensive experiments, we demonstrate the efficacy of our method in misleading AI-driven tasks across various hardware configurations, including two distinct cameras and four smartphones. This work advances the field of physical adversarial attacks by providing robust, real-world applicable techniques for undermining AI+camera systems.

Ziyi Yin,Muchao Ye,Tianrong Zhang,Jiaqi Wang,Han Liu,Jinghui Chen,Ting Wang,Fenglong Ma

2024-02-17

Abstract:Visual Question Answering (VQA) is a fundamental task in computer vision and natural language process fields. Although the ``pre-training & finetuning'' learning paradigm significantly improves the VQA performance, the adversarial robustness of such a learning paradigm has not been explored. In this paper, we delve into a new problem: using a pre-trained multimodal source model to create adversarial image-text pairs and then transferring them to attack the target VQA models. Correspondingly, we propose a novel VQAttack model, which can iteratively generate both image and text perturbations with the designed modules: the large language model (LLM)-enhanced image attack and the cross-modal joint attack module. At each iteration, the LLM-enhanced image attack module first optimizes the latent representation-based loss to generate feature-level image perturbations. Then it incorporates an LLM to further enhance the image perturbations by optimizing the designed masked answer anti-recovery loss. The cross-modal joint attack module will be triggered at a specific iteration, which updates the image and text perturbations sequentially. Notably, the text perturbation updates are based on both the learned gradients in the word embedding space and word synonym-based substitution. Experimental results on two VQA datasets with five validated models demonstrate the effectiveness of the proposed VQAttack in the transferable attack setting, compared with state-of-the-art baselines. This work reveals a significant blind spot in the ``pre-training & fine-tuning'' paradigm on VQA tasks. Source codes will be released.

Computer Vision and Pattern Recognition

Yaoyuan Zhang,Yu-an Tan,Mingfeng Lu,Tian Chen,Yuanzhang Li,Quanxin Zhang

DOI: https://doi.org/10.1002/int.22932

IF: 8.993

2022-01-01

International Journal of Intelligent Systems

Abstract:Deep neural networks are highly vulnerable to adversarial examples, and these adversarial examples stay malicious when transferred to other neural networks. Many works exploit this transferability of adversarial examples to execute black-box attacks. However, most existing adversarial attack methods rarely consider cross-task black-box attacks that are more similar to real-world scenarios. In this paper, we propose a class of random blur-based iterative methods (RBMs) to enhance the success rates of cross-task black-box attacks. By integrating the random erasing and Gaussian blur into the iterative gradient-based attacks, the proposed RBM augments the diversity of adversarial perturbation and alleviates the marginal effect caused by iterative gradient-based methods, generating the adversarial examples of stronger transferability. Experimental results on ImageNet and PASCAL VOC data sets show that the proposed RBM generates more transferable adversarial examples on image classification models, thereby successfully attacking cross-task black-box object detection models.