Finding Optimal Tangent Points for Reducing Distortions of Hard-label Attacks

• URL: http://arxiv.org/abs/2111.07492v2
• Date: Thu, 18 Nov 2021 05:21:57 GMT
• Title: Finding Optimal Tangent Points for Reducing Distortions of Hard-label Attacks
• Authors: Chen Ma, Xiangyu Guo, Li Chen, Jun-Hai Yong, Yisen Wang
• Abstract summary: We propose a novel geometric-based approach called Tangent Attack (TA) Tangent Attack identifies an optimal tangent point of a virtual hemisphere located on the decision boundary to reduce the distortion of the attack. Experiments conducted on the ImageNet and CIFAR-10 datasets demonstrate that our approach can consume only a small number of queries to achieve the low-magnitude distortion.
• Score: 36.24260738965947
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: One major problem in black-box adversarial attacks is the high query complexity in the hard-label attack setting, where only the top-1 predicted label is available. In this paper, we propose a novel geometric-based approach called Tangent Attack (TA), which identifies an optimal tangent point of a virtual hemisphere located on the decision boundary to reduce the distortion of the attack. Assuming the decision boundary is locally flat, we theoretically prove that the minimum $\ell_2$ distortion can be obtained by reaching the decision boundary along the tangent line passing through such tangent point in each iteration. To improve the robustness of our method, we further propose a generalized method which replaces the hemisphere with a semi-ellipsoid to adapt to curved decision boundaries. Our approach is free of hyperparameters and pre-training. Extensive experiments conducted on the ImageNet and CIFAR-10 datasets demonstrate that our approach can consume only a small number of queries to achieve the low-magnitude distortion. The implementation source code is released online at https://github.com/machanic/TangentAttack.

Related papers

• Zeroth-Order Optimization Finds Flat Minima [51.41529512093436]
  We show that zeroth-order optimization with the standard two-point estimator favors solutions with small trace of Hessian.<n>We further provide convergence rates of zeroth-order optimization to approximate flat minima for convex and sufficiently smooth functions.
  arXiv  Detail & Related papers  (2025-06-05T17:59:09Z)
• Curvature Dynamic Black-box Attack: revisiting adversarial robustness via dynamic curvature estimation [0.0]
  curvature-based approaches have attracted attention because it is assumed that high curvature may give rise to rough decision boundary.<n>We propose a new query-efficient method, dynamic curvature estimation, to estimate the decision boundary curvature in a black-box setting.
  arXiv  Detail & Related papers  (2025-05-25T15:41:11Z)
• Hard-Label Black-Box Attacks on 3D Point Clouds [66.52447238776482]
  We introduce a novel 3D attack method based on a new spectrum-aware decision boundary algorithm to generate high-quality adversarial samples. Experiments demonstrate that our attack competitively outperforms existing white/black-box attackers in terms of attack performance and adversary quality.
  arXiv  Detail & Related papers  (2024-11-30T09:05:02Z)
• A Method of Moments Embedding Constraint and its Application to Semi-Supervised Learning [2.8266810371534152]
  Discnative deep learning models with a linear+softmax final layer have a problem. Latent space only predicts the conditional probabilities $p(Y|X)$ but not the full joint distribution $p(Y,X)$. This exacerbates model over-confidence impacting many problems, such as hallucinations, confounding biases, and dependence on large datasets.
  arXiv  Detail & Related papers  (2024-04-27T18:41:32Z)
• Vanishing Point Estimation in Uncalibrated Images with Prior Gravity Direction [82.72686460985297]
  We tackle the problem of estimating a Manhattan frame. We derive two new 2-line solvers, one of which does not suffer from singularities affecting existing solvers. We also design a new non-minimal method, running on an arbitrary number of lines, to boost the performance in local optimization.
  arXiv  Detail & Related papers  (2023-08-21T13:03:25Z)
• CGBA: Curvature-aware Geometric Black-box Attack [39.63633212337113]
  Decision-based black-box attacks often necessitate a large number of queries to craft an adversarial example. We propose a novel query-efficient curvature-aware geometric decision-based black-box attack (CGBA) We develop a new query-efficient variant, CGBA-H, that is adapted for the targeted attack.
  arXiv  Detail & Related papers  (2023-08-06T17:18:04Z)
• Pure Exploration in Bandits with Linear Constraints [15.547603114649464]
  We address the problem of identifying the optimal policy with a fixed confidence level in a multi-armed bandit setup. We introduce twoally optimal algorithms for this setting, one based on the Track-and-Stop method and the other based on a game-theoretic approach. We provide empirical results that validate our bounds and visualize how constraints change the hardness of the problem.
  arXiv  Detail & Related papers  (2023-06-22T10:00:33Z)
• Sparse and Imperceptible Adversarial Attack via a Homotopy Algorithm [93.80082636284922]
  Sparse adversarial attacks can fool deep networks (DNNs) by only perturbing a few pixels. Recent efforts combine it with another l_infty perturbation on magnitudes. We propose a homotopy algorithm to tackle the sparsity and neural perturbation framework.
  arXiv  Detail & Related papers  (2021-06-10T20:11:36Z)
• Deep Magnification-Flexible Upsampling over 3D Point Clouds [103.09504572409449]
  We propose a novel end-to-end learning-based framework to generate dense point clouds. We first formulate the problem explicitly, which boils down to determining the weights and high-order approximation errors. Then, we design a lightweight neural network to adaptively learn unified and sorted weights as well as the high-order refinements.
  arXiv  Detail & Related papers  (2020-11-25T14:00:18Z)
• Nearly Dimension-Independent Sparse Linear Bandit over Small Action Spaces via Best Subset Selection [71.9765117768556]
  We consider the contextual bandit problem under the high dimensional linear model. This setting finds essential applications such as personalized recommendation, online advertisement, and personalized medicine. We propose doubly growing epochs and estimating the parameter using the best subset selection method.
  arXiv  Detail & Related papers  (2020-09-04T04:10:39Z)
• AcED: Accurate and Edge-consistent Monocular Depth Estimation [0.0]
  Single image depth estimation is a challenging problem. We formulate a fully differentiable ordinal regression and train the network in end-to-end fashion. A novel per-pixel confidence map computation for depth refinement is also proposed.
  arXiv  Detail & Related papers  (2020-06-16T15:21:00Z)
• GeoDA: a geometric framework for black-box adversarial attacks [79.52980486689287]
  We propose a framework to generate adversarial examples in one of the most challenging black-box settings. Our framework is based on the observation that the decision boundary of deep networks usually has a small mean curvature in the vicinity of data samples.
  arXiv  Detail & Related papers  (2020-03-13T20:03:01Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.