[论文解读] Simple Black-box Adversarial Attacks
Introduces SimBA,a simple, highly query-efficient black-box attack that uses random orthonormal directions to perturb inputs guided by confidence scores, achieving competitive success with far fewer queries.
We propose an intriguingly simple method for the construction of adversarial images in the black-box setting. In constrast to the white-box scenario, constructing black-box adversarial images has the additional constraint on query budget, and efficient attacks remain an open problem to date. With only the mild assumption of continuous-valued confidence scores, our highly query-efficient algorithm utilizes the following simple iterative principle: we randomly sample a vector from a predefined orthonormal basis and either add or subtract it to the target image. Despite its simplicity, the proposed method can be used for both untargeted and targeted attacks -- resulting in previously unprecedented query efficiency in both settings. We demonstrate the efficacy and efficiency of our algorithm on several real world settings including the Google Cloud Vision API. We argue that our proposed algorithm should serve as a strong baseline for future black-box attacks, in particular because it is extremely fast and its implementation requires less than 20 lines of PyTorch code.
研究动机与目标
- Motivate and formalize a practical black-box adversarial attack under query budget constraints.
- Introduce SimBA, a simple iterative method using orthonormal search directions guided by model confidence scores.
- Evaluate SimBA against existing black-box attacks on ImageNet and real-world Google Cloud Vision API.
- Provide theoretical insight into perturbation bounds and practical guidance for choosing bases and step sizes.
提出的方法
- Iteratively select a random orthonormal search direction q from a predefined basis Q.
- Attempt a step of size epsilon in the positive direction, and if it does not decrease the target class probability, try the negative direction.
- Update the perturbation delta when a direction reduces the target probability, ensuring orthogonality prevents cancellation.
- Use either pixel-space (Q = standard basis) or low-frequency DCT-space (Q_DCT) directions to guide searches.
- Bound the final perturbation norm by ||delta_T||_2 <= sqrt(T) * epsilon due to orthogonality, linking budget T to perturbation size.
- Keep hyper-parameters minimal: the orthonormal basis Q and the step size epsilon; no gradient information needed.
实验结果
研究问题
- RQ1How can an adversary construct imperceptible adversarial examples in a black-box setting with limited queries?
- RQ2Does using orthonormal search directions (pixel-space or low-frequency DCT-space) enable efficient navigation toward the decision boundary?
- RQ3What is the trade-off between query budget and perturbation norm in a simple black-box attack?
- RQ4Can a simple, fast implementation achieve competitive success rates against real-world services like Google Cloud Vision?
主要发现
- SimBA achieves high success rates with significantly fewer queries than strong baselines on ImageNet in both untargeted and targeted attacks.
- SimBA in pixel space (SimBA) and in low-frequency DCT space (SimBA-DCT) reach near-100% success with far fewer queries than competitors (e.g., SimBA requiring around 1,665 average queries untargeted; SimBA-DCT around 1,283).
- SimBA-DCT often converges faster but may fail on a subset of images within a strict query cap, whereas SimBA maintains more consistent success across images.
- On Google Cloud Vision, SimBA attains about 70% success within 5,000 API calls, outperforming LFBA under the same budget.
- Perturbations produced by SimBA and SimBA-DCT have substantially lower average L2 norms than QL-attack, indicating more efficient perturbations.
- The attack is robust across multiple architectures (ResNet-50, DenseNet-121) though some networks (e.g., Inception v3) require more queries for success.
更好的研究,从现在开始
从论文设计到论文写作,大幅缩短您的研究时间。
无需绑定信用卡
本解读由 AI 生成,并经人工编辑审核。