Switching Gradient Directions for Query-Efficient Black-Box Adversarial Attacks

by   Chen Ma, et al.

We propose a simple and highly query-efficient black-box adversarial attack named SWITCH, which has a state-of-the-art performance under ℓ_2 and ℓ_∞ norms in the score-based setting. In the black box attack setting, designing query-efficient attacks remains an open problem. The high query efficiency of the proposed approach stems from the combination of transfer-based attacks and random-search-based ones. The surrogate model's gradient 𝐠̂ is exploited for the guidance, which is then switched if our algorithm detects that it does not point to the adversarial region by using a query, thereby keeping the objective loss function of the target model rising as much as possible. Two switch operations are available, i.e., SWITCH_neg and SWITCH_rnd. SWITCH_neg takes -𝐠̂ as the new direction, which is reasonable under an approximate local linearity assumption. SWITCH_rnd computes the gradient from another model, which is randomly selected from a large model set, to help bypass the potential obstacle in optimization. Experimental results show that these strategies boost the optimization process whereas following the original surrogate gradients does not work. In SWITCH, no query is used to estimate the gradient, and all the queries aim to determine whether to switch directions, resulting in unprecedented query efficiency. We demonstrate that our approach outperforms 10 state-of-the-art attacks on CIFAR-10, CIFAR-100 and TinyImageNet datasets. SWITCH can serve as a strong baseline for future black-box attacks. The PyTorch source code is released in https://github.com/machanic/SWITCH .



There are no comments yet.


page 1

page 2

page 3

page 4


Parsimonious Black-Box Adversarial Attacks via Efficient Combinatorial Optimization

Solving for adversarial examples with projected gradient descent has bee...

MetaSimulator: Simulating Unknown Target Models for Query-Efficient Black-box Attacks

Many adversarial attacks have been proposed to investigate the security ...

Learning Black-Box Attackers with Transferable Priors and Query Feedback

This paper addresses the challenging black-box adversarial attack proble...

Simple Black-box Adversarial Attacks

We propose an intriguingly simple method for the construction of adversa...

Square Attack: a query-efficient black-box adversarial attack via random search

We propose the Square Attack, a new score-based black-box l_2 and l_∞ ad...

Sparse-RS: a versatile framework for query-efficient sparse black-box adversarial attacks

A large body of research has focused on adversarial attacks which requir...

Nonlinear Projection Based Gradient Estimation for Query Efficient Blackbox Attacks

Gradient estimation and vector space projection have been studied as two...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.