To address the weak transferability of adversarial examples and susceptibility to surrogate model overfitting in black-box attacks against Vision Transformers (ViTs), this paper proposes a commonality-oriented gradient optimization framework. We first model the shared mid-to-low-frequency feature dependencies and individual-specific discrepancies across ViT surrogate models, then introduce a dual-branch mechanism: mid-to-low-frequency-directed perturbation, frequency-prior weighting, adaptive correlation-threshold filtering, and multi-model collaborative regularization—jointly enhancing commonality-aware gradients while suppressing individual noise. The method is both interpretable and adaptive. Experiments on ImageNet demonstrate substantial improvements in cross-architecture transferability: our approach achieves average gains of 5.2–11.7% over state-of-the-art methods in both ViT-to-CNN and ViT-to-ViT attack scenarios.

Exploring effective and transferable adversarial examples is vital for understanding the characteristics and mechanisms of Vision Transformers (ViTs). However, adversarial examples generated from surrogate models often exhibit weak transferability in black-box settings due to overfitting. Existing methods improve transferability by diversifying perturbation inputs or applying uniform gradient regularization within surrogate models, yet they have not fully leveraged the shared and unique features of surrogate models trained on the same task, leading to suboptimal transfer performance. Therefore, enhancing perturbations of common information shared by surrogate models and suppressing those tied to individual characteristics offers an effective way to improve transferability. Accordingly, we propose a commonality-oriented gradient optimization strategy (COGO) consisting of two components: Commonality Enhancement (CE) and Individuality Suppression (IS). CE perturbs the mid-to-low frequency regions, leveraging the fact that ViTs trained on the same dataset tend to rely more on mid-to-low frequency information for classification. IS employs adaptive thresholds to evaluate the correlation between backpropagated gradients and model individuality, assigning weights to gradients accordingly. Extensive experiments demonstrate that COGO significantly improves the transfer success rates of adversarial attacks, outperforming current state-of-the-art methods.