ADBA:Approximation Decision Boundary Approach for Black-Box Adversarial Attacks

• URL: http://arxiv.org/abs/2406.04998v2
• Date: Wed, 12 Jun 2024 08:49:16 GMT
• Title: ADBA:Approximation Decision Boundary Approach for Black-Box Adversarial Attacks
• Authors: Feiyang Wang, Xingquan Zuo, Hai Huang, Gang Chen,
• Abstract summary: Black-box attacks are stealthy, generating adversarial examples using hard labels from machine learning models. This paper introduces a novel approach using the Approximation Decision Boundary (ADB) to efficiently and accurately compare perturbation directions. The effectiveness of our ADB approach (ADBA) hinges on promptly identifying suitable ADB, ensuring reliable differentiation of all perturbation directions.
• Score: 6.253823500300899
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Many machine learning models are susceptible to adversarial attacks, with decision-based black-box attacks representing the most critical threat in real-world applications. These attacks are extremely stealthy, generating adversarial examples using hard labels obtained from the target machine learning model. This is typically realized by optimizing perturbation directions, guided by decision boundaries identified through query-intensive exact search, significantly limiting the attack success rate. This paper introduces a novel approach using the Approximation Decision Boundary (ADB) to efficiently and accurately compare perturbation directions without precisely determining decision boundaries. The effectiveness of our ADB approach (ADBA) hinges on promptly identifying suitable ADB, ensuring reliable differentiation of all perturbation directions. For this purpose, we analyze the probability distribution of decision boundaries, confirming that using the distribution's median value as ADB can effectively distinguish different perturbation directions, giving rise to the development of the ADBA-md algorithm. ADBA-md only requires four queries on average to differentiate any pair of perturbation directions, which is highly query-efficient. Extensive experiments on six well-known image classifiers clearly demonstrate the superiority of ADBA and ADBA-md over multiple state-of-the-art black-box attacks. The source code is available at https://github.com/BUPTAIOC/ADBA.

Related papers

• Indiscriminate Disruption of Conditional Inference on Multivariate Gaussians [60.22542847840578]
  Despite advances in adversarial machine learning, inference for Gaussian models in the presence of an adversary is notably understudied. We consider a self-interested attacker who wishes to disrupt a decisionmaker's conditional inference and subsequent actions by corrupting a set of evidentiary variables. To avoid detection, the attacker also desires the attack to appear plausible wherein plausibility is determined by the density of the corrupted evidence.
  arXiv  Detail & Related papers  (2024-11-21T17:46:55Z)
• AdvQDet: Detecting Query-Based Adversarial Attacks with Adversarial Contrastive Prompt Tuning [93.77763753231338]
  Adversarial Contrastive Prompt Tuning (ACPT) is proposed to fine-tune the CLIP image encoder to extract similar embeddings for any two intermediate adversarial queries. We show that ACPT can detect 7 state-of-the-art query-based attacks with $>99%$ detection rate within 5 shots. We also show that ACPT is robust to 3 types of adaptive attacks.
  arXiv  Detail & Related papers  (2024-08-04T09:53:50Z)
• Decision-BADGE: Decision-based Adversarial Batch Attack with Directional Gradient Estimation [0.0]
  Decision-BADGE is a novel method to craft universal adversarial perturbations for executing decision-based black-box attacks. Our proposed method shows a superior success rate with less training time. The research also shows that Decision-BADGE can successfully deceive unseen victim models and accurately target specific classes.
  arXiv  Detail & Related papers  (2023-03-09T01:42:43Z)
• Query Efficient Cross-Dataset Transferable Black-Box Attack on Action Recognition [99.29804193431823]
  Black-box adversarial attacks present a realistic threat to action recognition systems. We propose a new attack on action recognition that addresses these shortcomings by generating perturbations. Our method achieves 8% and higher 12% deception rates compared to state-of-the-art query-based and transfer-based attacks.
  arXiv  Detail & Related papers  (2022-11-23T17:47:49Z)
• A Large-scale Multiple-objective Method for Black-box Attack against Object Detection [70.00150794625053]
  We propose to minimize the true positive rate and maximize the false positive rate, which can encourage more false positive objects to block the generation of new true positive bounding boxes. We extend the standard Genetic Algorithm with Random Subset selection and Divide-and-Conquer, called GARSDC, which significantly improves the efficiency. Compared with the state-of-art attack methods, GARSDC decreases by an average 12.0 in the mAP and queries by about 1000 times in extensive experiments.
  arXiv  Detail & Related papers  (2022-09-16T08:36:42Z)
• Query-Efficient and Scalable Black-Box Adversarial Attacks on Discrete Sequential Data via Bayesian Optimization [10.246596695310176]
  We focus on the problem of adversarial attacks against models on discrete sequential data in the black-box setting. We propose a query-efficient black-box attack using Bayesian optimization, which dynamically computes important positions. We develop a post-optimization algorithm that finds adversarial examples with smaller perturbation size.
  arXiv  Detail & Related papers  (2022-06-17T06:11:36Z)
• Divide to Adapt: Mitigating Confirmation Bias for Domain Adaptation of Black-Box Predictors [94.78389703894042]
  Domain Adaptation of Black-box Predictors (DABP) aims to learn a model on an unlabeled target domain supervised by a black-box predictor trained on a source domain. It does not require access to both the source-domain data and the predictor parameters, thus addressing the data privacy and portability issues of standard domain adaptation. We propose a new method, named BETA, to incorporate knowledge distillation and noisy label learning into one coherent framework.
  arXiv  Detail & Related papers  (2022-05-28T16:00:44Z)
• Data-Efficient and Interpretable Tabular Anomaly Detection [54.15249463477813]
  We propose a novel framework that adapts a white-box model class, Generalized Additive Models, to detect anomalies. In addition, the proposed framework, DIAD, can incorporate a small amount of labeled data to further boost anomaly detection performances in semi-supervised settings.
  arXiv  Detail & Related papers  (2022-03-03T22:02:56Z)
• RamBoAttack: A Robust Query Efficient Deep Neural Network Decision Exploit [9.93052896330371]
  We develop a robust query efficient attack capable of avoiding entrapment in a local minimum and misdirection from noisy gradients. The RamBoAttack is more robust to the different sample inputs available to an adversary and the targeted class.
  arXiv  Detail & Related papers  (2021-12-10T01:25:24Z)
• Bi-Classifier Determinacy Maximization for Unsupervised Domain Adaptation [24.9073164947711]
  We present Bi-Classifier Determinacy Maximization(BCDM) to tackle this problem. Motivated by the observation that target samples cannot always be separated distinctly by the decision boundary, we design a novel classifier determinacy disparity metric. BCDM can generate discriminative representations by encouraging target predictive outputs to be consistent and determined.
  arXiv  Detail & Related papers  (2020-12-13T07:55:39Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.