CGBA: Curvature-aware Geometric Black-box Attack
- URL: http://arxiv.org/abs/2308.03163v1
- Date: Sun, 6 Aug 2023 17:18:04 GMT
- Title: CGBA: Curvature-aware Geometric Black-box Attack
- Authors: Md Farhamdur Reza, Ali Rahmati, Tianfu Wu, Huaiyu Dai
- Abstract summary: Decision-based black-box attacks often necessitate a large number of queries to craft an adversarial example.
We propose a novel query-efficient curvature-aware geometric decision-based black-box attack (CGBA)
We develop a new query-efficient variant, CGBA-H, that is adapted for the targeted attack.
- Score: 39.63633212337113
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Decision-based black-box attacks often necessitate a large number of queries
to craft an adversarial example. Moreover, decision-based attacks based on
querying boundary points in the estimated normal vector direction often suffer
from inefficiency and convergence issues. In this paper, we propose a novel
query-efficient curvature-aware geometric decision-based black-box attack
(CGBA) that conducts boundary search along a semicircular path on a restricted
2D plane to ensure finding a boundary point successfully irrespective of the
boundary curvature. While the proposed CGBA attack can work effectively for an
arbitrary decision boundary, it is particularly efficient in exploiting the low
curvature to craft high-quality adversarial examples, which is widely seen and
experimentally verified in commonly used classifiers under non-targeted
attacks. In contrast, the decision boundaries often exhibit higher curvature
under targeted attacks. Thus, we develop a new query-efficient variant, CGBA-H,
that is adapted for the targeted attack. In addition, we further design an
algorithm to obtain a better initial boundary point at the expense of some
extra queries, which considerably enhances the performance of the targeted
attack. Extensive experiments are conducted to evaluate the performance of our
proposed methods against some well-known classifiers on the ImageNet and
CIFAR10 datasets, demonstrating the superiority of CGBA and CGBA-H over
state-of-the-art non-targeted and targeted attacks, respectively. The source
code is available at https://github.com/Farhamdur/CGBA.
Related papers
- AdvQDet: Detecting Query-Based Adversarial Attacks with Adversarial Contrastive Prompt Tuning [93.77763753231338]
Adversarial Contrastive Prompt Tuning (ACPT) is proposed to fine-tune the CLIP image encoder to extract similar embeddings for any two intermediate adversarial queries.
We show that ACPT can detect 7 state-of-the-art query-based attacks with $>99%$ detection rate within 5 shots.
We also show that ACPT is robust to 3 types of adaptive attacks.
arXiv Detail & Related papers (2024-08-04T09:53:50Z) - Logit Margin Matters: Improving Transferable Targeted Adversarial Attack
by Logit Calibration [85.71545080119026]
Cross-Entropy (CE) loss function is insufficient to learn transferable targeted adversarial examples.
We propose two simple and effective logit calibration methods, which are achieved by downscaling the logits with a temperature factor and an adaptive margin.
Experiments conducted on the ImageNet dataset validate the effectiveness of the proposed methods.
arXiv Detail & Related papers (2023-03-07T06:42:52Z) - To Make Yourself Invisible with Adversarial Semantic Contours [47.755808439588094]
Adversarial Semantic Contour (ASC) is an estimate of a Bayesian formulation of sparse attack with a deceived prior of object contour.
We show that ASC can corrupt the prediction of 9 modern detectors with different architectures.
We conclude with cautions about contour being the common weakness of object detectors with various architecture.
arXiv Detail & Related papers (2023-03-01T07:22:39Z) - A Large-scale Multiple-objective Method for Black-box Attack against
Object Detection [70.00150794625053]
We propose to minimize the true positive rate and maximize the false positive rate, which can encourage more false positive objects to block the generation of new true positive bounding boxes.
We extend the standard Genetic Algorithm with Random Subset selection and Divide-and-Conquer, called GARSDC, which significantly improves the efficiency.
Compared with the state-of-art attack methods, GARSDC decreases by an average 12.0 in the mAP and queries by about 1000 times in extensive experiments.
arXiv Detail & Related papers (2022-09-16T08:36:42Z) - Gradient Aligned Attacks via a Few Queries [18.880398046794138]
Black-box query attacks show low performance in a novel scenario where only a few queries are allowed.
We propose gradient aligned attacks (GAA) which use the gradient aligned losses to improve the attack performance on the victim model.
Our proposed gradient aligned attacks and losses show significant improvements in the attack performance and query efficiency of black-box query attacks.
arXiv Detail & Related papers (2022-05-19T12:32:20Z) - Parallel Rectangle Flip Attack: A Query-based Black-box Attack against
Object Detection [89.08832589750003]
We propose a Parallel Rectangle Flip Attack (PRFA) via random search to avoid sub-optimal detection near the attacked region.
Our method can effectively and efficiently attack various popular object detectors, including anchor-based and anchor-free, and generate transferable adversarial examples.
arXiv Detail & Related papers (2022-01-22T06:00:17Z) - RamBoAttack: A Robust Query Efficient Deep Neural Network Decision
Exploit [9.93052896330371]
We develop a robust query efficient attack capable of avoiding entrapment in a local minimum and misdirection from noisy gradients.
The RamBoAttack is more robust to the different sample inputs available to an adversary and the targeted class.
arXiv Detail & Related papers (2021-12-10T01:25:24Z) - Sparse and Imperceptible Adversarial Attack via a Homotopy Algorithm [93.80082636284922]
Sparse adversarial attacks can fool deep networks (DNNs) by only perturbing a few pixels.
Recent efforts combine it with another l_infty perturbation on magnitudes.
We propose a homotopy algorithm to tackle the sparsity and neural perturbation framework.
arXiv Detail & Related papers (2021-06-10T20:11:36Z) - QEBA: Query-Efficient Boundary-Based Blackbox Attack [27.740081902519517]
We propose a Query-Efficient Boundary-based blackbox Attack (QEBA) based only on model's final prediction labels.
We show that compared with the state-of-the-art blackbox attacks, QEBA is able to use a smaller number of queries to achieve a lower magnitude of perturbation with 100% attack success rate.
arXiv Detail & Related papers (2020-05-28T16:41:12Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.