The image experimental data generated by TAFID

Convolutional Neural Networks (CNNs) have been widely applied in critical fields, such as autonomous driving and face recognition. However, with the rapid development of artificial intelligence technology and computing power, CNNs are increasingly threatened by adversarial attacks. Among these, transferable targeted adversarial attacks in the black-box scenarios are particularly dangerous, which can mislead the model to output a specified target label. Existing methods try to boost transferability by training auxiliary networks, enriching example diversity or stabilizing gradient updates, but these methods usually require extra training costs or easily get stuck in local optima. To address these limitations, this paper proposes a Transferable Targeted Adversarial Attack method based on Feature Interpretation and Dynamic Optimization (TAFID) for CNNs. TAFID utilizes dynamic mask updates to adjust the model's focus areas on input examples and adaptively constrain the ranges of perturbation. Additionally, a global-local feature alignment strategy is designed to maximize the possibility of outputting target labels and the cosine similarities between global and cropped regions, to align adversarial examples with the target distribution in deep semantic spaces. Experimental results demonstrate that when attacking CNNs, models with architectures different from CNNs and third-party deep learning systems, TAFID improves the average targeted attack success rate on black-box target models by 47.9%, 30.4%, 30.5% and 42.6% compared to RAP, ODI, SASD-WS and CFM, respectively. Moreover, the generated adversarial examples exhibit superior authenticity, indicating a higher similarity between original and adversarial examples.