Boosting Decision-Based Black-Box Adversarial Attacks with Random Sign Flip

被引：25

作者：

Chen, Weilun ^{[1
,2
]}

Zhang, Zhaoxiang ^{[1
,2
,3
]}

Hu, Xiaolin ^{[4
]}

Wu, Baoyuan ^{[5
,6
]}

机构：

[1] Chinese Acad Sci CASIA, Inst Automat, CRIPAC, NLPR, Beijing, Peoples R China

[2] Univ Chinese Acad Sci UCAS, Sch Artificial Intelligence, Beijing, Peoples R China

[3] Chinese Acad Sci, Ctr Excellence Brain Sci & Intelligence Technol, Beijing, Peoples R China

[4] Tsinghua Univ, Beijing, Peoples R China

[5] Chinese Univ Hong Kong, Shenzhen, Peoples R China

[6] Tencent AI Lab, Shenzhen, Peoples R China

来源：

COMPUTER VISION - ECCV 2020, PT XV | 2020年 / 12360卷

基金：

中国国家自然科学基金;

关键词：

Adversarial examples; Decision-based attacks;

D O I：

10.1007/978-3-030-58555-6_17

中图分类号：

TP18 [人工智能理论];

学科分类号：

081104 ; 0812 ; 0835 ; 1405 ;

摘要：

Decision-based black-box adversarial attacks (decision-based attack) pose a severe threat to current deep neural networks, as they only need the predicted label of the target model to craft adversarial examples. However, existing decision-based attacks perform poorly on the l(infinity) setting and the required enormous queries cast a shadow over the practicality. In this paper, we show that just randomly flipping the signs of a small number of entries in adversarial perturbations can significantly boost the attack performance. We name this simple and highly efficient decision-based l(infinity) attack as Sign Flip Attack. Extensive experiments on CIFAR-10 and ImageNet show that the proposed method outperforms existing decision-based attacks by large margins and can serve as a strong baseline to evaluate the robustness of defensive models. We further demonstrate the applicability of the proposed method on real-world systems.

引用

页码：276 / 293

页数：18

共 53 条

[1]

Al-Dujaili A., 2020, P INT C LEARN REPR

[2]

Alzantot M, 2019, Arxiv, DOI arXiv:1805.11090

[3]

[Anonymous], 2018, INT C LEARN REPR

[4]

Athalye A, 2018, Arxiv, DOI arXiv:1707.07397

[5]

Athalye A, 2018, PR MACH LEARN RES, V80

[6] Practical Black-Box Attacks on Deep Neural Networks Using Efficient Query Mechanisms [J].

Bhagoji, Arjun Nitin ;

He, Warren ;

Li, Bo ;

Song, Dawn .

COMPUTER VISION - ECCV 2018, PT XII, 2018, 11216 :158-174

[7]

Biggio Battista, 2013, Machine Learning and Knowledge Discovery in Databases. European Conference, ECML PKDD 2013. Proceedings: LNCS 8190, P387, DOI 10.1007/978-3-642-40994-3_25

[8]

Brendel W., 2018, P INT C LEARN REPR

[9] Towards Evaluating the Robustness of Neural Networks [J].

Carlini, Nicholas ;

Wagner, David .

2017 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP), 2017, :39-57

[10]

Chen JB, 2020, Arxiv, DOI [arXiv:1904.02144, DOI 10.48550/ARXIV.1904.02144]

← 1 2 3 4 5 6 →