BO-DBA: Query-Efficient Decision-Based Adversarial Attacks via Bayesian Optimization
Keywords: Adversarial Attack, Bayesian Optimization
Abstract: Decision-based attacks (DBA), wherein attackers perturb inputs to spoof learning algorithms by observing solely the output labels, are a type of severe adversarial attacks against Deep Neural Networks (DNNs) that require minimal knowledge of attackers. Most existing DBA attacks rely on zeroth-order gradient estimation and require an excessive number ($>$20,000) of queries to converge. To better understand the attack, this paper presents an efficient DBA attack technique, namely BO-DBA, that greatly improves the query efficiency. We achieve this by introducing dimension reduction techniques and derivative-free optimization to the process of closest decision boundary search. In BO-DBA, we adopt the Gaussian process to model the distribution of decision boundary radius over a low-dimensional search space defined by perturbation generator functions. Bayesian Optimization is then leveraged to find the optimal direction. Experimental results on pre-trained ImageNet classifiers show that BO-DBA converges within 200 queries while the state-of-the-art DBA techniques using zeroth order optimization need over 15,000 queries to achieve the same level of perturbation distortion.
One-sentence Summary: We propose a decision-based adversarial attack by formulating the optimization problem as a real-valued optimization problem and solve the problem via Bayesian Optimization.
13 Replies
Loading