Go to DBLP homepageCNFA: Conditional Normalizing Flow for Query-Limited Attack
Abstract: Traditional black-box attack methods rely on sufficient feedback from the victim model through a large number of queries until the attack is successful. This may not be acceptable in real applications, since the deployed system may be equipped with certain defense mechanisms and only return the final result (i.e., hard label) to the client. In contrast, one possible approach is formulating a hard label attack, which can be successfully executed within limited queries. To implement this idea, in this paper, we bypass the reliance on victim models and benefit from the intrinsic characteristics of adversarial examples (AEs) and the transferability of examples across different data-driven models. This motivates us to generatively reformulate the attack problem and propose a conditional normalized flow-based attack (CNFA), which builds up a statistical mapping from the benign example to its adversarial counterpart by tackling the conditional likelihood under the hard-label black-box setting. A well-trained CNFA model can directly and efficiently generate a batch of AEs for specific condition inputs. Extensive experiments validate the effectiveness of the proposed idea in a hard-label black-box setting and the superiority of CNFA over SOTA techniques.
External IDs:dblp:conf/icassp/LiuZZLW24
Loading