Switching Transferable Gradient Directions for Query-Efficient Black-Box
Adversarial Attacks
- URL: http://arxiv.org/abs/2009.07191v2
- Date: Thu, 13 May 2021 12:47:32 GMT
- Title: Switching Transferable Gradient Directions for Query-Efficient Black-Box
Adversarial Attacks
- Authors: Chen Ma, Shuyu Cheng, Li Chen, Jun Zhu, Junhai Yong
- Abstract summary: We propose a simple and highly query-efficient black-box adversarial attack named SWITCH.
SWITCH features a highly efficient and effective utilization of the gradient of a surrogate model.
Experimental results conducted on CIFAR-10, CIFAR-100 and TinyImageNet show that SWITCH achieves a satisfactory attack success rate.
- Score: 38.91061792696202
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: We propose a simple and highly query-efficient black-box adversarial attack
named SWITCH, which has a state-of-the-art performance in the score-based
setting. SWITCH features a highly efficient and effective utilization of the
gradient of a surrogate model $\hat{\mathbf{g}}$ w.r.t. the input image, i.e.,
the transferable gradient. In each iteration, SWITCH first tries to update the
current sample along the direction of $\hat{\mathbf{g}}$, but considers
switching to its opposite direction $-\hat{\mathbf{g}}$ if our algorithm
detects that it does not increase the value of the attack objective function.
We justify the choice of switching to the opposite direction by a local
approximate linearity assumption. In SWITCH, only one or two queries are needed
per iteration, but it is still effective due to the rich information provided
by the transferable gradient, thereby resulting in unprecedented query
efficiency. To improve the robustness of SWITCH, we further propose
SWITCH$_\text{RGF}$ in which the update follows the direction of a random
gradient-free (RGF) estimate when neither $\hat{\mathbf{g}}$ nor its opposite
direction can increase the objective, while maintaining the advantage of SWITCH
in terms of query efficiency. Experimental results conducted on CIFAR-10,
CIFAR-100 and TinyImageNet show that compared with other methods, SWITCH
achieves a satisfactory attack success rate using much fewer queries, and
SWITCH$_\text{RGF}$ achieves the state-of-the-art attack success rate with
fewer queries overall. Our approach can serve as a strong baseline for future
black-box attacks because of its simplicity. The PyTorch source code is
released on https://github.com/machanic/SWITCH.
Related papers
- Rethinking PGD Attack: Is Sign Function Necessary? [131.6894310945647]
We present a theoretical analysis of how such sign-based update algorithm influences step-wise attack performance.
We propose a new raw gradient descent (RGD) algorithm that eliminates the use of sign.
The effectiveness of the proposed RGD algorithm has been demonstrated extensively in experiments.
arXiv Detail & Related papers (2023-12-03T02:26:58Z) - Sampling-based Fast Gradient Rescaling Method for Highly Transferable
Adversarial Attacks [19.917677500613788]
gradient-based approaches generally use the $sign$ function to generate perturbations at the end of the process.
We propose a Sampling-based Fast Gradient Rescaling Method (S-FGRM) to improve the transferability of crafted adversarial examples.
arXiv Detail & Related papers (2022-04-06T15:12:20Z) - Attacking deep networks with surrogate-based adversarial black-box
methods is easy [7.804269142923776]
A recent line of work on black-box adversarial attacks has revived the use of transfer from surrogate models.
Here, we provide a short and simple algorithm which achieves state-of-the-art results through a search.
The guiding assumption of the algorithm is that the studied networks are in a fundamental sense learning similar functions.
arXiv Detail & Related papers (2022-03-16T16:17:18Z) - Fast Gradient Non-sign Methods [67.56549792690706]
Fast Gradient Non-sign Method (FGNM) is a general routine, which can seamlessly replace the conventional $sign$ operation in gradient-based attacks.
Our methods outperform them by textbf27.5% at most and textbf9.5% on average.
arXiv Detail & Related papers (2021-10-25T08:46:00Z) - Adversarial Attacks on Gaussian Process Bandits [47.84198626686564]
We propose various adversarial attack methods with differing assumptions on the attacker's strength and prior information.
Our goal is to understand adversarial attacks on GP bandits from both a theoretical and practical perspective.
We demonstrate that adversarial attacks on GP bandits can succeed in forcing the algorithm towards $mathcalR_rm target$ even with a low attack budget.
arXiv Detail & Related papers (2021-10-16T02:39:10Z) - Sparse and Imperceptible Adversarial Attack via a Homotopy Algorithm [93.80082636284922]
Sparse adversarial attacks can fool deep networks (DNNs) by only perturbing a few pixels.
Recent efforts combine it with another l_infty perturbation on magnitudes.
We propose a homotopy algorithm to tackle the sparsity and neural perturbation framework.
arXiv Detail & Related papers (2021-06-10T20:11:36Z) - Transferable Sparse Adversarial Attack [62.134905824604104]
We introduce a generator architecture to alleviate the overfitting issue and thus efficiently craft transferable sparse adversarial examples.
Our method achieves superior inference speed, 700$times$ faster than other optimization-based methods.
arXiv Detail & Related papers (2021-05-31T06:44:58Z) - Boosting Gradient for White-Box Adversarial Attacks [60.422511092730026]
We propose a universal adversarial example generation method, called ADV-ReLU, to enhance the performance of gradient based white-box attack algorithms.
Our approach calculates the gradient of the loss function versus network input, maps the values to scores, and selects a part of them to update the misleading gradients.
arXiv Detail & Related papers (2020-10-21T02:13:26Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.