Enhancing Adversarial Transferability With Intermediate Layer Feature Attack on Synthetic Aperture Radar Images

Synthetic aperture radar (SAR) automatic target recognition (ATR) systems based on deep neural network models are vulnerable to adversarial examples. Existing SAR adversarial attack algorithms require access to the network structure, parameters, and training data, which are often inaccessible in real-world scenarios. To address this problem, this study proposes an intermediate layer feature attack algorithm that does not rely on training data for the adversary model. Electromagnetic simulation is used to obtain the simulated SAR local data domain during the training stage. A lightweight generator, TinyResNet, is introduced to quickly construct adversarial examples through a one-step mapping process. In addition, the transferability of these examples across different models is improved by eliminating the intermediate layer features of the model. Finally, a domain-agnostic feature attention module is utilized to reduce discrepancies between different data domains from a model perspective, further improving the transferability of adversarial examples across domains. Experimental results on five SAR datasets of ground vehicles, ships, and scene types demonstrate that the proposed algorithm outperforms 13 mainstream adversarial attack algorithms in terms of cross-model and cross-data domain transferability. In particular, the proposed method improves the cross-domain attack success rate by 43.74%-48.88% on the MSTAR dataset.