Li Chao, Jiang Tingsong, Wang Handing, Yao Wen, Wang Donghua
IEEE Trans Pattern Anal Mach Intell. 2025 Jan;47(1):161-171. doi: 10.1109/TPAMI.2024.3461686. Epub 2024 Dec 4.
Black-box adversarial attacks can be categorized into transfer-based and query-based attacks. The former usually has poor transfer performance due to the mismatch between the architectures of models, while the query-based attacks require massive queries and high dimensional optimization variables. In order to solve the above problems, we propose a novel attack framework integrating the advantages of transfer- and query-based attacks, where the framework is divided into two phases: training the adversarial generator and executing the black-box attacks. In the first stage, a generator is trained by the adversarial loss function so that it can output adversarial perturbation, where the latent variables are designed as the input of the generator to reduce the dimension of the optimization variables. In the second stage, based on the trained generator, we further employ a particle swarm optimization algorithm to optimize the latent variables so that the generator can output the perturbation that can achieve a successful attack. Extensive experiments are performed on the ImageNet dataset, and the results demonstrate that the proposed framework can obtain better attack performance compared with a number of the state-of-the-art black-box adversarial attack methods. In addition, we show the flexibility of the proposed framework by extending the experiment for few-pixel attacks.
黑盒对抗攻击可分为基于迁移的攻击和基于查询的攻击。前者通常由于模型架构之间的不匹配而具有较差的迁移性能,而基于查询的攻击需要大量查询和高维优化变量。为了解决上述问题,我们提出了一种新颖的攻击框架,该框架整合了基于迁移和基于查询的攻击的优点,其中该框架分为两个阶段:训练对抗生成器和执行黑盒攻击。在第一阶段,通过对抗损失函数训练一个生成器,使其能够输出对抗扰动,其中潜在变量被设计为生成器的输入以降低优化变量的维度。在第二阶段,基于训练好的生成器,我们进一步采用粒子群优化算法来优化潜在变量,以便生成器能够输出可实现成功攻击的扰动。在ImageNet数据集上进行了大量实验,结果表明,与许多现有的黑盒对抗攻击方法相比,所提出的框架能够获得更好的攻击性能。此外,我们通过扩展少像素攻击的实验展示了所提出框架的灵活性。
