Prior Convictions: Black-box Adversarial Attacks with Bandits and PriorsDownload PDF

Sep 27, 2018 (edited Feb 21, 2019)ICLR 2019 Conference Blind SubmissionReaders: Everyone
  • Abstract: We study the problem of generating adversarial examples in a black-box setting in which only loss-oracle access to a model is available. We introduce a framework that conceptually unifies much of the existing work on black-box attacks, and demonstrate that the current state-of-the-art methods are optimal in a natural sense. Despite this optimality, we show how to improve black-box attacks by bringing a new element into the problem: gradient priors. We give a bandit optimization-based algorithm that allows us to seamlessly integrate any such priors, and we explicitly identify and incorporate two examples. The resulting methods use two to four times fewer queries and fail two to five times less than the current state-of-the-art. The code for reproducing our work is available at
  • Keywords: adversarial examples, gradient estimation, black-box attacks, model-based optimization, bandit optimization
  • TL;DR: We present a unifying view on black-box adversarial attacks as a gradient estimation problem, and then present a framework (based on bandits optimization) to integrate priors into gradient estimation, leading to significantly increased performance.
17 Replies