Improving Transferability of Adversarial Attacks via Frequency-Consistent Regularization

Adversarial examples have revealed the vulnerability of deep neural networks, and their transferability makes black-box attacks particularly concerning. However, perturbations crafted on a surrogate model often do not remain sufficiently effective on unseen target models. In this paper, we revisit this issue from a frequency-domain perspective and observe that perturbation optimization can become overly dependent on specific spectral patterns, which weakens cross-model transfer. To address this problem, we propose frequency-consistent regularization (FCR), a simple plug-in strategy that can be combined with existing iterative attacks. FCR introduces multiple low-frequency preserving views with randomly sampled frequency ranges at each iteration and optimizes perturbations across these varied views. In this way, the generated perturbations are less tied to a specific frequency configuration and show improved transferability. Experimental results show that FCR consistently improves the transfer performance of various iterative attacks. The improvement is observed not only in standard target models but also in adversarially trained models, where the gain is often more pronounced.