Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
121 tokens/sec
GPT-4o
9 tokens/sec
Gemini 2.5 Pro Pro
47 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

BlackboxBench: A Comprehensive Benchmark of Black-box Adversarial Attacks (2312.16979v2)

Published 28 Dec 2023 in cs.CR

Abstract: Adversarial examples are well-known tools to evaluate the vulnerability of deep neural networks (DNNs). Although lots of adversarial attack algorithms have been developed, it's still challenging in the practical scenario that the model's parameters and architectures are inaccessible to the attacker/evaluator, i.e., black-box adversarial attacks. Due to the practical importance, there has been rapid progress from recent algorithms, reflected by the quick increase in attack success rate and quick decrease in query numbers to the target model. However, there lacks thorough evaluations and comparisons among these algorithms, causing difficulties in tracking the real progress, analyzing advantages and disadvantages of different technical routes, as well as designing future development roadmap of this field. Thus, we aim at building a comprehensive benchmark of black-box adversarial attacks, called BlackboxBench. It mainly provides: 1) a unified, extensible and modular-based codebase, implementing 29 query-based attack algorithms and 30 transfer-based attack algorithms; 2) comprehensive evaluations: we evaluate the implemented algorithms against several mainstreaming model architectures on 2 widely used datasets (CIFAR-10 and a subset of ImageNet), leading to 14,950 evaluations in total; 3) thorough analysis and new insights, as well analytical tools. The website and source codes of BlackboxBench are available at https://blackboxbenchmark.github.io/ and https://github.com/SCLBD/BlackboxBench/, respectively.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (135)
  1. H. Salman, A. Ilyas, L. Engstrom, A. Kapoor, and A. Madry, “Do adversarially robust imagenet models transfer better?” in Advances in Neural Information Processing Systems, 2020.
  2. S. Gowal, C. Qin, J. Uesato, T. Mann, and P. Kohli, “Uncovering the limits of adversarial training against norm-bounded adversarial examples,” arXiv e-prints, 2020.
  3. S. Gowal, S.-A. Rebuffi, O. Wiles, F. Stimberg, D. A. Calian, and T. A. Mann, “Improving robustness using generated data,” in Advances in Neural Information Processing Systems, 2021.
  4. H. Li, X. Xu, X. Zhang, S. Yang, and B. Li, “Qeba: Query-efficient boundary-based blackbox attack,” in Conference on Computer Vision and Pattern Recognition, 2020.
  5. H. Li, L. Li, X. Xu, X. Zhang, S. Yang, and B. Li, “Nonlinear projection based gradient estimation for query efficient blackbox attacks,” in International conference on artificial intelligence and statistics, 2021.
  6. J. Zhang, L. Li, H. Li, X. Zhang, S. Yang, and B. Li, “Progressive-scale boundary blackbox attack via projective gradient estimation,” in International Conference on Machine Learning, 2021.
  7. C. Guo, J. Gardner, Y. You, A. G. Wilson, and K. Weinberger, “Simple black-box adversarial attacks,” in International Conference on Machine Learning, 2019.
  8. S. Moon, G. An, and H. O. Song, “Parsimonious black-box adversarial attacks via efficient combinatorial optimization,” in International Conference on Machine Learning, 2019.
  9. M. Andriushchenko, F. Croce, N. Flammarion, and M. Hein, “Square attack: a query-efficient black-box adversarial attack via random search,” in European Conference on Computer Vision, 2020.
  10. J. Li, R. Ji, H. Liu, J. Liu, B. Zhong, C. Deng, and Q. Tian, “Projection & probability-driven black-box attack,” in Conference on Computer Vision and Pattern Recognition, 2020.
  11. A. Ilyas, L. Engstrom, A. Athalye, and J. Lin, “Black-box adversarial attacks with limited queries and information,” in International Conference on Machine Learning, 2018.
  12. A. Ilyas, L. Engstrom, and A. Madry, “Prior convictions: Black-box adversarial attacks with bandits and priors,” arXiv e-prints, 2018.
  13. S. Liu, P.-Y. Chen, X. Chen, and M. Hong, “signsgd via zeroth-order oracle,” in International Conference on Learning Representations, 2019.
  14. A. Al-Dujaili and U.-M. O’Reilly, “Sign bits are all you need for black-box attacks,” in International Conference on Learning Representations, 2020.
  15. H. Mohaghegh Dolatabadi, S. Erfani, and C. Leckie, “Advflow: Inconspicuous black-box adversarial attacks using normalizing flows,” in Advances in Neural Information Processing Systems, 2020.
  16. Y. Bai, Y. Zeng, Y. Jiang, Y. Wang, S.-T. Xia, and W. Guo, “Improving query efficiency of black-box adversarial attack,” in European Conference on Computer Vision, 2020.
  17. H. Tran, D. Lu, and G. Zhang, “Exploiting the local parabolic landscapes of adversarial losses to accelerate black-box adversarial attack,” in European Conference on Computer Vision, 2022.
  18. Y. Feng, B. Wu, Y. Fan, L. Liu, Z. Li, and S.-T. Xia, “Boosting black-box attack with partially transferred conditional adversarial distribution,” in Conference on Computer Vision and Pattern Recognition, 2022.
  19. F. Yin, Y. Zhang, B. Wu, Y. Feng, J. Zhang, Y. Fan, and Y. Yang, “Generalizable black-box adversarial attack with meta learning,” Transactions on Pattern Analysis and Machine Intelligence, 2023.
  20. A. Kurakin, I. Goodfellow, and S. Bengio, “Adversarial examples in the physical world,” 2017.
  21. A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” in International Conference on Learning Representations, 2018.
  22. Y. Dong, T. Pang, H. Su, and J. Zhu, “Evading defenses to transferable adversarial examples by translation-invariant attacks,” in Conference on Computer Vision and Pattern Recognition, 2019.
  23. J. Lin, C. Song, K. He, L. Wang, and J. E. Hopcroft, “Nesterov accelerated gradient and scale invariance for adversarial attacks,” in International Conference on Learning Representations, 2019.
  24. X. Wang, X. He, J. Wang, and K. He, “Admix: Enhancing the transferability of adversarial attacks,” in International Conference on Computer Vision, 2021.
  25. C. Xie, Z. Zhang, Y. Zhou, S. Bai, J. Wang, Z. Ren, and A. L. Yuille, “Improving transferability of adversarial examples with input diversity,” in Conference on Computer Vision and Pattern Recognition, 2019.
  26. Y. Dong, F. Liao, T. Pang, H. Su, J. Zhu, X. Hu, and J. Li, “Boosting adversarial attacks with momentum,” in Conference on Computer Vision and Pattern Recognition, 2018.
  27. X. Wang, J. Lin, H. Hu, J. Wang, and K. He, “Boosting adversarial transferability through enhanced momentum,” arXiv e-prints, 2021.
  28. X. Wang and K. He, “Enhancing the transferability of adversarial attacks through variance tuning,” in Conference on Computer Vision and Pattern Recognition, 2021.
  29. Z. Qin, Y. Fan, Y. Liu, L. Shen, Y. Zhang, J. Wang, and B. Wu, “Boosting the transferability of adversarial attacks with reverse adversarial perturbation,” in Advances in Neural Information Processing Systems, 2022.
  30. Y. Guo, Q. Li, and H. Chen, “Backpropagating linearly improves transferability of adversarial examples,” in Advances in Neural Information Processing Systems, 2020.
  31. D. Wu, Y. Wang, S.-T. Xia, J. Bailey, and X. Ma, “Skip connections matter: On the transferability of adversarial examples generated with resnets,” in International Conference on Learning Representations, 2019.
  32. Q. Huang, I. Katsman, H. He, Z. Gu, S. Belongie, and S.-N. Lim, “Enhancing adversarial example transferability with an intermediate level attack,” in International Conference on Computer Vision, 2019.
  33. Z. Wang, H. Guo, Z. Zhang, W. Liu, Z. Qin, and K. Ren, “Feature importance-aware transferable adversarial attacks,” in International Conference on Computer Vision, 2021.
  34. J. Zhang, W. Wu, J.-t. Huang, Y. Huang, W. Wang, Y. Su, and M. R. Lyu, “Improving adversarial transferability via neuron attribution-based attacks,” in Conference on Computer Vision and Pattern Recognition, 2022.
  35. M. Gubri, M. Cordy, M. Papadakis, Y. L. Traon, and K. Sen, “Lgv: Boosting adversarial example transferability from large geometric vicinity,” in European Conference on Computer Vision, 2022.
  36. Y. Li, S. Bai, Y. Zhou, C. Xie, Z. Zhang, and A. Yuille, “Learning transferable adversarial examples via ghost networks,” in Association for the Advancement of Artificial Intelligence, 2020.
  37. Y. Zhu, Y. Chen, X. Li, K. Chen, Y. He, X. Tian, B. Zheng, Y. Chen, and Q. Huang, “Toward understanding and boosting adversarial transferability from a distribution perspective,” Transactions on Image Processing, vol. 31, pp. 6487–6501, 2022.
  38. Y. Zhu, J. Sun, and Z. Li, “Rethinking adversarial transferability from a data distribution perspective,” in International Conference on Learning Representations, 2022.
  39. Q. Li, Y. Guo, W. Zuo, and H. Chen, “Making substitute models more bayesian can enhance transferability of adversarial examples,” in International Conference on Learning Representations, 2023.
  40. A. Krizhevsky, “Learning multiple layers of features from tiny images,” University of Toronto, 2009.
  41. O. Russakovsky, J. Deng, H. Su, J. Krause, S. Satheesh, S. Ma, Z. Huang, A. Karpathy, A. Khosla, M. Bernstein et al., “Imagenet large scale visual recognition challenge,” International Journal of Computer Vision, vol. 115, pp. 211–252, 2015.
  42. F. Croce, M. Andriushchenko, V. Sehwag, E. Debenedetti, N. Flammarion, M. Chiang, P. Mittal, and M. Hein, “Robustbench: a standardized adversarial robustness benchmark,” in Conference on Neural Information Processing Systems Datasets and Benchmarks Track, 2021.
  43. K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” in Conference on Computer Vision and Pattern Recognition, 2016.
  44. K. Simonyan and A. Zisserman, “Very deep convolutional networks for large-scale image recognition,” in International Conference on Learning Representations, 2015.
  45. C. Szegedy, V. Vanhoucke, S. Ioffe, J. Shlens, and Z. Wojna, “Rethinking the inception architecture for computer vision,” in Conference on Computer Vision and Pattern Recognition, 2016.
  46. G. Huang, Z. Liu, L. Van Der Maaten, and K. Q. Weinberger, “Densely connected convolutional networks,” in Conference on Computer Vision and Pattern Recognition, 2017.
  47. M. Sandler, A. Howard, M. Zhu, A. Zhmoginov, and L.-C. Chen, “Mobilenetv2: Inverted residuals and linear bottlenecks,” in Conference on Computer Vision and Pattern Recognition, 2018.
  48. J. Hu, L. Shen, and G. Sun, “Squeeze-and-excitation networks,” in Conference on Computer Vision and Pattern Recognition, 2018.
  49. S. Xie, R. Girshick, P. Dollár, Z. Tu, and K. He, “Aggregated residual transformations for deep neural networks,” in Conference on Computer Vision and Pattern Recognition, 2017.
  50. S. Zagoruyko and N. Komodakis, “Wide residual networks,” in British Machine Vision Conference 2016, 2016.
  51. C. Liu, B. Zoph, M. Neumann, J. Shlens, W. Hua, L.-J. Li, L. Fei-Fei, A. Yuille, J. Huang, and K. Murphy, “Progressive neural architecture search,” in European Conference on Computer Vision, 2018.
  52. M. Tan, B. Chen, R. Pang, V. Vasudevan, M. Sandler, A. Howard, and Q. V. Le, “Mnasnet: Platform-aware neural architecture search for mobile,” in Conference on Computer Vision and Pattern Recognition, 2019.
  53. D. Han, J. Kim, and J. Kim, “Deep pyramidal residual networks,” in Conference on Computer Vision and Pattern Recognition, 2017.
  54. X. Dong and Y. Yang, “Searching for a robust neural architecture in four gpu hours,” in Conference on Computer Vision and Pattern Recognition, 2019.
  55. A. Dosovitskiy, L. Beyer, A. Kolesnikov, D. Weissenborn, X. Zhai, T. Unterthiner, M. Dehghani, M. Minderer, G. Heigold, S. Gelly et al., “An image is worth 16x16 words: Transformers for image recognition at scale,” in International Conference on Learning Representations, 2020.
  56. Z. Liu, Y. Lin, Y. Cao, H. Hu, Y. Wei, Z. Zhang, S. Lin, and B. Guo, “Swin transformer: Hierarchical vision transformer using shifted windows,” in International Conference on Computer Vision, 2021.
  57. Z. Liu, H. Mao, C.-Y. Wu, C. Feichtenhofer, T. Darrell, and S. Xie, “A convnet for the 2020s,” in Conference on Computer Vision and Pattern Recognition, 2022.
  58. C. Liu, Y. Dong, W. Xiang, X. Yang, H. Su, J. Zhu, Y. Chen, Y. He, H. Xue, and S. Zheng, “A comprehensive study on robustness of image classification models: Benchmarking and rethinking,” arXiv e-prints, 2023.
  59. Y. Carmon, A. Raghunathan, L. Schmidt, J. C. Duchi, and P. S. Liang, “Unlabeled data improves adversarial robustness,” in Advances in Neural Information Processing Systems, 2019.
  60. Y. Yamada, M. Iwamura, T. Akiba, and K. Kise, “Shakedrop regularization for deep residual learning,” IEEE Access, vol. 7, pp. 186 126–186 136, 2019.
  61. E. D. Cubuk, B. Zoph, D. Mane, V. Vasudevan, and Q. V. Le, “Autoaugment: Learning augmentation policies from data,” arXiv e-prints, 2018.
  62. K. Mahmood, R. Mahmood, and M. Van Dijk, “On the robustness of vision transformers to adversarial examples,” in International Conference on Computer Vision, 2021.
  63. Z. Qin, Y. Fan, H. Zha, and B. Wu, “Random noise defense against query-based black-box attacks,” in Advances in Neural Information Processing Systems, 2021.
  64. S.-A. Rebuffi, S. Gowal, D. A. Calian, F. Stimberg, O. Wiles, and T. Mann, “Fixing data augmentation to improve adversarial robustness,” arXiv e-prints, 2021.
  65. N. Papernot, P. McDaniel, and I. Goodfellow, “Transferability in machine learning: from phenomena to black-box attacks using adversarial samples,” arXiv e-prints, 2016.
  66. Z. Zhao, Z. Liu, and M. Larson, “On success and simplicity: A second look at transferable targeted attacks,” in Advances in Neural Information Processing Systems, 2021.
  67. H. Abdi and L. J. Williams, “Principal component analysis,” Wiley interdisciplinary reviews: computational statistics, 2010.
  68. N. Ahmed, T. Natarajan, and K. R. Rao, “Discrete cosine transform,” IEEE transactions on Computers, 1974.
  69. N. Carlini, A. Athalye, N. Papernot, W. Brendel, J. Rauber, D. Tsipras, I. Goodfellow, A. Madry, and A. Kurakin, “On evaluating adversarial robustness,” arXiv e-prints, 2019.
  70. F. Croce and M. Hein, “Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks,” in International Conference on Machine Learning, 2020.
  71. D. Hendrycks and T. Dietterich, “Benchmarking neural network robustness to common corruptions and perturbations,” arXiv e-prints, 2019.
  72. G. Katz, C. Barrett, D. L. Dill, K. Julian, and M. J. Kochenderfer, “Reluplex: An efficient smt solver for verifying deep neural networks,” in International Conference on Computer Aided Verification, 2017.
  73. L. Engstrom, A. Ilyas, and A. Athalye, “Evaluating and understanding the robustness of adversarial logit pairing,” arXiv e-prints, 2018.
  74. A. Athalye, N. Carlini, and D. Wagner, “Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples,” in International Conference on Machine Learning, 2018.
  75. C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” arXiv e-prints, 2013.
  76. J. Gilmer, R. P. Adams, I. Goodfellow, D. Andersen, and G. E. Dahl, “Motivating the rules of the game for adversarial example research,” arXiv e-prints, 2018.
  77. A. Fawzi and P. Frossard, “Manitest: Are classifiers really invariant?” arXiv e-prints, 2015.
  78. E. Wong, F. Schmidt, and Z. Kolter, “Wasserstein adversarial examples via projected sinkhorn iterations,” in International Conference on Machine Learning, 2019.
  79. C. Laidlaw and S. Feizi, “Functional adversarial attacks,” in Advances in Neural Information Processing Systems, 2019.
  80. J. Rauber, W. Brendel, and M. Bethge, “Foolbox: A python toolbox to benchmark the robustness of machine learning models,” arXiv e-prints, 2017.
  81. N. Papernot, F. Faghri, N. Carlini, I. Goodfellow, R. Feinman, A. Kurakin, C. Xie, Y. Sharma, T. Brown, A. Roy et al., “Technical report on the cleverhans v2. 1.0 adversarial examples library,” arXiv e-prints, 2016.
  82. G. W. Ding, L. Wang, and X. Jin, “Advertorch v0. 1: An adversarial robustness toolbox based on pytorch,” arXiv e-prints, 2019.
  83. D. Goodman, H. Xin, W. Yang, W. Yuesheng, X. Junfeng, and Z. Huan, “Advbox: a toolbox to generate adversarial examples that fool neural networks,” arXiv e-prints, 2020.
  84. M.-I. Nicolae, M. Sinn, M. N. Tran, B. Buesser, A. Rawat, M. Wistuba, V. Zantedeschi, N. Baracaldo, B. Chen, H. Ludwig et al., “Adversarial robustness toolbox v1. 0.0,” arXiv e-prints, 2018.
  85. M. Pintor, L. Demetrio, A. Sotgiu, M. Melis, A. Demontis, and B. Biggio, “secml: A python library for secure and explainable machine learning,” arXiv e-prints, 2019.
  86. Y. Li, W. Jin, H. Xu, and J. Tang, “Deeprobust: A pytorch library for adversarial attacks and defenses,” arXiv e-prints, 2020.
  87. A. Mądry, A. Athalye, D. Tsipras, and L. Engstrom, “Robustml,” https://www.robust-ml.org/, 2019.
  88. A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” arXiv e-prints, 2017.
  89. H. Zhang, Y. Yu, J. Jiao, E. Xing, L. El Ghaoui, and M. Jordan, “Theoretically principled trade-off between robustness and accuracy,” in International Conference on Machine Learning, 2019.
  90. E. Wong, L. Rice, and J. Z. Kolter, “Fast is better than free: Revisiting adversarial training,” arXiv e-prints, 2020.
  91. W. Brendel, J. Rauber, and M. Bethge, “Decision-based adversarial attacks: Reliable attacks against black-box machine learning models,” arXiv e-prints, 2017.
  92. Y. Dong, H. Su, B. Wu, Z. Li, W. Liu, T. Zhang, and J. Zhu, “Efficient decision-based black-box adversarial attacks on face recognition,” in Conference on Computer Vision and Pattern Recognition, 2019.
  93. A. Rahmati, S.-M. Moosavi-Dezfooli, P. Frossard, and H. Dai, “Geoda: a geometric framework for black-box adversarial attacks,” in Conference on Computer Vision and Pattern Recognition, 2020.
  94. W. Chen, Z. Zhang, X. Hu, and B. Wu, “Boosting decision-based black-box adversarial attacks with random sign flip,” in European Conference on Computer Vision, 2020.
  95. J. Chen and Q. Gu, “Rays: A ray searching method for hard-label adversarial attack,” in ACM SIGKDD Conference on Knowledge Discovery and Data Mining, 2020.
  96. M. Cheng, T. Le, P.-Y. Chen, J. Yi, H. Zhang, and C.-J. Hsieh, “Query-efficient hard-label black-box attack: An optimization-based approach,” arXiv e-prints, 2018.
  97. M. Cheng, S. Singh, P. Chen, P.-Y. Chen, S. Liu, and C.-J. Hsieh, “Sign-opt: A query-efficient hard-label adversarial attack,” arXiv e-prints, 2019.
  98. X. Wang, Z. Zhang, K. Tong, D. Gong, K. He, Z. Li, and W. Liu, “Triangle attack: A query-efficient decision-based adversarial attack,” in European Conference on Computer Vision, 2022.
  99. J. Chen, M. I. Jordan, and M. J. Wainwright, “Hopskipjumpattack: A query-efficient decision-based attack,” in Symposium on Security and Privacy, 2020.
  100. U. Feige, V. S. Mirrokni, and J. Vondrák, “Maximizing non-monotone submodular functions,” SIAM Journal on Computing, 2011.
  101. D. Wierstra, T. Schaul, T. Glasmachers, Y. Sun, J. Peters, and J. Schmidhuber, “Natural evolution strategies,” Journal of Machine Learning Research, vol. 15, no. 1, pp. 949–980, 2014.
  102. E. G. Tabak and C. V. Turner, “A family of nonparametric density estimation algorithms,” Communications on Pure and Applied Mathematics, 2013.
  103. M. Garnelo, J. Schwarz, D. Rosenbaum, F. Viola, D. J. Rezende, S. Eslami, and Y. W. Teh, “Neural processes,” arXiv e-prints, 2018.
  104. H.-G. Beyer and H.-P. Schwefel, “Evolution strategies–a comprehensive introduction,” Natural computing, 2002.
  105. Y. Lu and B. Huang, “Structured output learning with conditional generative flows,” in Association for the Advancement of Artificial Intelligence, 2020.
  106. I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” arXiv e-prints, 2014.
  107. S. Chen, Z. Huang, Q. Tao, Y. Wu, C. Xie, and X. Huang, “Adversarial attack on attackers: Post-process to mitigate black-box score-based query attacks,” arXiv e-prints, 2022.
  108. R. R. Selvaraju, M. Cogswell, A. Das, R. Vedantam, D. Parikh, and D. Batra, “Grad-cam: Visual explanations from deep networks via gradient-based localization,” in International Conference on Computer Vision, 2017.
  109. S. M. Lundberg and S.-I. Lee, “A unified approach to interpreting model predictions,” in Advances in Neural Information Processing Systems, 2017.
  110. N. Hansen and A. Ostermeier, “Completely derandomized self-adaptation in evolution strategies,” Evolutionary computation, 2001.
  111. X. Ling, S. Ji, J. Zou, J. Wang, C. Wu, B. Li, and T. Wang, “Deepsec: A uniform platform for security analysis of deep learning model,” in Symposium on Security and Privacy, 2019.
  112. Y. Dong, Q.-A. Fu, X. Yang, T. Pang, H. Su, Z. Xiao, and J. Zhu, “Benchmarking adversarial robustness on image classification,” in Conference on Computer Vision and Pattern Recognition, 2020.
  113. F. Croce, M. Andriushchenko, V. Sehwag, E. Debenedetti, N. Flammarion, M. Chiang, P. Mittal, and M. Hein, “Robustbench: a standardized adversarial robustness benchmark,” arXiv e-prints, 2020.
  114. B. Wu, H. Chen, M. Zhang, Z. Zhu, S. Wei, D. Yuan, and C. Shen, “Backdoorbench: A comprehensive benchmark of backdoor learning,” in Advances in Neural Information Processing Systems, 2022.
  115. S. Srinivas and F. Fleuret, “Full-gradient representation for neural network visualization,” in Advances in Neural Information Processing Systems, 2019.
  116. N. Carlini, “A critique of the deepsec platform for security analysis of deep learning models,” arXiv e-prints, 2019.
  117. F. Yu, Z. Qin, C. Liu, L. Zhao, Y. Wang, and X. Chen, “Interpreting and evaluating neural network robustness,” in International Joint Conference on Artificial Intelligence, 2019.
  118. G. Somepalli, L. Fowl, A. Bansal, P. Yeh-Chiang, Y. Dar, R. Baraniuk, M. Goldblum, and T. Goldstein, “Can neural nets learn the same model twice? investigating reproducibility and double descent from the decision boundary perspective,” arXiv e-prints, 2022.
  119. B. Wu, L. Liu, Z. Zhu, Q. Liu, Z. He, and S. Lyu, “Adversarial machine learning: A systematic survey of backdoor attack, weight attack and adversarial example,” arXiv e-prints, 2023.
  120. A. Goel, A. Singh, A. Agarwal, M. Vatsa, and R. Singh, “Smartbox: Benchmarking adversarial detection and mitigation algorithms for face recognition,” in 2018 IEEE 9th international conference on biometrics theory, applications and systems (BTAS), 2018.
  121. N. Hingun, C. Sitawarin, J. Li, and D. Wagner, “Reap: A large-scale realistic adversarial patch benchmark,” in International Conference on Computer Vision, 2023.
  122. Q. Zheng, X. Zou, Y. Dong, Y. Cen, D. Yin, J. Xu, Y. Yang, and J. Tang, “Graph robustness benchmark: Benchmarking the adversarial robustness of graph machine learning,” arXiv e-prints, 2021.
  123. B. Wang, C. Xu, S. Wang, Z. Gan, Y. Cheng, J. Gao, A. H. Awadallah, and B. Li, “Adversarial glue: A multi-task benchmark for robustness evaluation of language models,” arXiv e-prints, 2021.
  124. L. Hsiung, Y.-Y. Tsai, P.-Y. Chen, and T.-Y. Ho, “Carben: Composite adversarial robustness benchmark,” arXiv e-prints, 2022.
  125. S. Dai, S. Mahloujifar, C. Xiang, V. Sehwag, P.-Y. Chen, and P. Mittal, “Multirobustbench: Benchmarking robustness against multiple attacks,” arXiv e-prints, 2023.
  126. Z. Zhao, H. Zhang, R. Li, R. Sicre, L. Amsaleg, M. Backes, Q. Li, and C. Shen, “Revisiting transferable adversarial image examples: Attack categorization, evaluation guidelines, and new insights,” arXiv e-prints, 2023.
  127. S. Chen, Z. He, C. Sun, J. Yang, and X. Huang, “Universal adversarial attack on attention and the resulting dataset damagenet,” Transactions on Pattern Analysis and Machine Intelligence, vol. 44, no. 4, pp. 2188–2197, 2022.
  128. Y. Shi, Y. Han, Q. Hu, Y. Yang, and Q. Tian, “Query-efficient black-box adversarial attack with customized iteration and sampling,” Transactions on Pattern Analysis and Machine Intelligence, vol. 45, no. 2, pp. 2226–2245, 2023.
  129. Y. Dong, S. Cheng, T. Pang, H. Su, and J. Zhu, “Query-efficient black-box adversarial attacks guided by a transfer-based prior,” Transactions on Pattern Analysis and Machine Intelligence, vol. 44, no. 12, pp. 9536–9548, 2022.
  130. A. Mustafa, S. H. Khan, M. Hayat, R. Goecke, J. Shen, and L. Shao, “Deeply supervised discriminative learning for adversarial defense,” Transactions on Pattern Analysis and Machine Intelligence, vol. 43, no. 9, pp. 3154–3166, 2021.
  131. C. Zhao, S. Mei, B. Ni, S. Yuan, Z. Yu, and J. Wang, “Variational adversarial defense : A bayes perspective for adversarial training,” Transactions on Pattern Analysis and Machine Intelligence, pp. 1–17, 2023.
  132. S. Lee, H. Kim, and J. Lee, “Graddiv: Adversarial robustness of randomized neural networks via gradient diversity regularization,” Transactions on Pattern Analysis and Machine Intelligence, vol. 45, no. 2, pp. 2645–2651, 2023.
  133. C. P. Lau, J. Liu, H. Souri, W.-A. Lin, S. Feizi, and R. Chellappa, “Interpolated joint space adversarial training for robust and generalizable defenses,” IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 45, no. 11, pp. 13 054–13 067, 2023.
  134. B. Wu, S. Wei, M. Zhu, M. Zheng, Z. Zhu, M. Zhang, H. Chen, D. Yuan, L. Liu, and Q. Liu, “Defenses in adversarial machine learning: A survey,” 2023.
  135. X. Wei, B. Pu, J. Lu, and B. Wu, “Physically adversarial attacks and defenses in computer vision: A survey,” arXiv e-prints, 2022.
Citations (4)

Summary

  • The paper introduces BlackboxBench, a unified codebase implementing 25 query-based and 30 transfer-based adversarial attacks for standardized benchmarking.
  • It conducts 14,106 evaluations on CIFAR-10 and a subset of ImageNet to establish robust performance benchmarks and leaderboards.
  • It offers detailed analysis across 13 metrics to uncover adversarial vulnerabilities and guide the development of stronger DNN defenses.

Insightful Overview of the "BlackboxBench: A Comprehensive Benchmark of Black-box Adversarial Attacks" Paper

The paper "BlackboxBench: A Comprehensive Benchmark of Black-box Adversarial Attacks" addresses the complexities and challenges associated with black-box adversarial attacks on deep neural networks (DNNs). This paper presents BlackboxBench, a benchmarking tool and codebase designed to evaluate and compare various black-box adversarial attacks effectively. The authors emphasize the significance of black-box adversarial attacks, especially in practical scenarios where attackers have limited access to a target model's internal parameters and architectures.

Key Contributions

The cornerstone of this paper is the introduction of BlackboxBench, which is meticulously crafted to offer several contributions:

  1. Unified Codebase: BlackboxBench provides a modular and unified codebase that currently implements 25 query-based and 30 transfer-based adversarial attack algorithms, making it a comprehensive resource in this field. This extensibility ensures that the benchmark can evolve with the introduction of new methods.
  2. Comprehensive Evaluations: The authors conduct a vast number of evaluations, amounting to 14,106 in total, using widely recognized datasets such as CIFAR-10 and a subset of ImageNet. Such exhaustive testing establishes benchmarks and leaderboards that document the progress of black-box adversarial attack methodologies.
  3. Thorough Analysis: The paper offers detailed analysis and insights into black-box adversarial attacks through 13 types of analysis, assisted by analytical tools designed to broaden the understanding of adversarial vulnerabilities. This equips researchers with the tools needed to uncover the underlying mechanisms of these attacks and strengthen DNN robustness.

Numerical Results and Analysis

The paper delivers strong numerical results from its evaluation suite that exhibits the rapid progression of black-box adversarial attack methods. For instance, it demonstrates the evolution of attack efficiency over the years, distinguishing between decision-based and score-based methodologies. Decision-based attacks have witnesses a marked improvement, displaying enhanced attack success rates (ASR) and reduced average query numbers (AQN). Transfer-based attacks are similarly detailed, showing improvements over various years and highlighting feature-space and model-based attacks as particularly effective strategies, despite their increased computational overhead.

The paper highlights challenges in targeted attacks, wherein achieving high transferability remains difficult compared to untargeted attacks. However, model-enhancing techniques have marginally bridged this gap, suggesting potential future directions in this subfield.

Implications and Future Prospects

The implications of this research are both practical and theoretical. Practically, BlackboxBench serves as a vital tool for researchers to benchmark and validate emerging black-box adversarial attack algorithms. The unified codification offers a standardized approach to testing, making results comparable across different studies. Theoretically, the analyses foster a deeper understanding of the vulnerabilities inherent in neural networks and inspire the development of more robust defense mechanisms against such attacks.

Looking to the future, this benchmark sets the stage for further exploration into the transferability of adversarial attacks and the mitigation of adversarial effects in real-world applications. Additionally, the modularity of BlackboxBench invites contributions from the research community, potentially paving the way for innovative defenses and more sophisticated attack strategies. The emphasis on improving transferability in targeted attacks might emerge as a primary focus for subsequent research efforts.

In conclusion, the BlackboxBench presents a substantial advancement in the domain of black-box adversarial attacks, providing valuable insights and a framework for continued research into the resilience and security of machine learning models against complex adversarial threats.

Github Logo Streamline Icon: https://streamlinehq.com