Shi Yucheng, Han Yahong, Hu Qinghua, Yang Yi, Tian Qi
IEEE Trans Pattern Anal Mach Intell. 2023 Feb;45(2):2226-2245. doi: 10.1109/TPAMI.2022.3169802. Epub 2023 Jan 6.
It is a challenging task to fool an image classifier based on deep neural networks under the black-box setting where the target model can only be queried. Among existing black-box attacks, transfer-based methods tend to overfit the substitute model on parameter settings. Decision-based methods have low query efficiency due to fixed sampling and greedy search strategy. To alleviate the above problems, we present a new framework for query-efficient black-box adversarial attack by bridging transfer-based and decision-based attacks. We reveal the relationship between current noise and variance of sampling, the monotonicity of noise compression, and the influence of transition function on the decision-based attack. Guided by the new framework, we propose a black-box adversarial attack named Customized Iteration and Sampling Attack (CISA). CISA estimates the distance from nearby decision boundary to set the stepsize, and uses a dual-direction iterative trajectory to find the intermediate adversarial example. Based on the intermediate adversarial example, CISA conducts customized sampling according to the noise sensitivity of each pixel to further compress noise, and relaxes the state transition function to achieve higher query efficiency. Extensive experiments demonstrate CISA's advantage in query efficiency of black-box adversarial attacks.
在只能查询目标模型的黑盒设置下,欺骗基于深度神经网络的图像分类器是一项具有挑战性的任务。在现有的黑盒攻击中,基于迁移的方法在参数设置上容易过度拟合替代模型。基于决策的方法由于固定采样和贪婪搜索策略,查询效率较低。为了缓解上述问题,我们通过结合基于迁移的攻击和基于决策的攻击,提出了一种用于高效查询黑盒对抗攻击的新框架。我们揭示了当前噪声与采样方差之间的关系、噪声压缩的单调性以及转移函数对基于决策的攻击的影响。在新框架的指导下,我们提出了一种名为定制迭代采样攻击(CISA)的黑盒对抗攻击。CISA估计到附近决策边界的距离以设置步长,并使用双向迭代轨迹来找到中间对抗样本。基于中间对抗样本,CISA根据每个像素的噪声敏感度进行定制采样,以进一步压缩噪声,并放宽状态转移函数以实现更高的查询效率。大量实验证明了CISA在黑盒对抗攻击查询效率方面的优势。
