To address the poor transferability of adversarial examples across architectures—particularly from CNNs to Vision Transformers (ViTs)—this paper proposes Spatial Adversarial Alignment (SAA). SAA introduces the first dual-path alignment mechanism integrating spatial and adversarial awareness: a witness model guides the surrogate model to focus on shared vulnerable regions, enabling alignment in both global and local feature spaces. It further incorporates a self-adversarial constraint to enforce feature consistency under adversarial perturbations and integrates multi-scale spatial matching with collaborative optimization. Evaluated on ImageNet, SAA significantly improves cross-architecture attack success rates, achieving an average gain of 12.7%. Notably, its transferability to ViT-based target models is substantially enhanced, outperforming state-of-the-art black-box attack methods by a large margin.

Deep neural networks are vulnerable to adversarial examples that exhibit transferability across various models. Numerous approaches are proposed to enhance the transferability of adversarial examples, including advanced optimization, data augmentation, and model modifications. However, these methods still show limited transferability, particularly in cross-architecture scenarios, such as from CNN to ViT. To achieve high transferability, we propose a technique termed Spatial Adversarial Alignment (SAA), which employs an alignment loss and leverages a witness model to fine-tune the surrogate model. Specifically, SAA consists of two key parts: spatial-aware alignment and adversarial-aware alignment. First, we minimize the divergences of features between the two models in both global and local regions, facilitating spatial alignment. Second, we introduce a self-adversarial strategy that leverages adversarial examples to impose further constraints, aligning features from an adversarial perspective. Through this alignment, the surrogate model is trained to concentrate on the common features extracted by the witness model. This facilitates adversarial attacks on these shared features, thereby yielding perturbations that exhibit enhanced transferability. Extensive experiments on various architectures on ImageNet show that aligned surrogate models based on SAA can provide higher transferable adversarial examples, especially in cross-architecture attacks.