Related papers: Towards Query-Efficient Black-Box Adversary with Zeroth-Order Natural Gradient Descent

Towards Query-Efficient Black-Box Adversary with Zeroth-Order Natural Gradient Descent

URL: http://arxiv.org/abs/2002.07891v1
Date: Tue, 18 Feb 2020 21:48:54 GMT
Title: Towards Query-Efficient Black-Box Adversary with Zeroth-Order Natural Gradient Descent
Authors: Pu Zhao, Pin-Yu Chen, Siyue Wang, Xue Lin
Abstract summary: Black-box adversarial attack methods have received special attentions owing to their practicality and simplicity. We propose a zeroth-order natural gradient descent (ZO-NGD) method to design the adversarial attacks. ZO-NGD can obtain significantly lower model query complexities compared with state-of-the-art attack methods.
Score: 92.4348499398224
License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
Abstract: Despite the great achievements of the modern deep neural networks (DNNs), the vulnerability/robustness of state-of-the-art DNNs raises security concerns in many application domains requiring high reliability. Various adversarial attacks are proposed to sabotage the learning performance of DNN models. Among those, the black-box adversarial attack methods have received special attentions owing to their practicality and simplicity. Black-box attacks usually prefer less queries in order to maintain stealthy and low costs. However, most of the current black-box attack methods adopt the first-order gradient descent method, which may come with certain deficiencies such as relatively slow convergence and high sensitivity to hyper-parameter settings. In this paper, we propose a zeroth-order natural gradient descent (ZO-NGD) method to design the adversarial attacks, which incorporates the zeroth-order gradient estimation technique catering to the black-box attack scenario and the second-order natural gradient descent to achieve higher query efficiency. The empirical evaluations on image classification datasets demonstrate that ZO-NGD can obtain significantly lower model query complexities compared with state-of-the-art attack methods.