Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
144 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

STBA: Towards Evaluating the Robustness of DNNs for Query-Limited Black-box Scenario (2404.00362v2)

Published 30 Mar 2024 in cs.CV and eess.IV

Abstract: Many attack techniques have been proposed to explore the vulnerability of DNNs and further help to improve their robustness. Despite the significant progress made recently, existing black-box attack methods still suffer from unsatisfactory performance due to the vast number of queries needed to optimize desired perturbations. Besides, the other critical challenge is that adversarial examples built in a noise-adding manner are abnormal and struggle to successfully attack robust models, whose robustness is enhanced by adversarial training against small perturbations. There is no doubt that these two issues mentioned above will significantly increase the risk of exposure and result in a failure to dig deeply into the vulnerability of DNNs. Hence, it is necessary to evaluate DNNs' fragility sufficiently under query-limited settings in a non-additional way. In this paper, we propose the Spatial Transform Black-box Attack (STBA), a novel framework to craft formidable adversarial examples in the query-limited scenario. Specifically, STBA introduces a flow field to the high-frequency part of clean images to generate adversarial examples and adopts the following two processes to enhance their naturalness and significantly improve the query efficiency: a) we apply an estimated flow field to the high-frequency part of clean images to generate adversarial examples instead of introducing external noise to the benign image, and b) we leverage an efficient gradient estimation method based on a batch of samples to optimize such an ideal flow field under query-limited settings. Compared to existing score-based black-box baselines, extensive experiments indicated that STBA could effectively improve the imperceptibility of the adversarial examples and remarkably boost the attack success rate under query-limited settings.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (74)
  1. M. Andriushchenko, F. Croce, N. Flammarion, and M. Hein, “Square attack: A query-efficient black-box adversarial attack via random search,” in ECCV, vol. 12368, 2020, pp. 484–501.
  2. F. Croce, M. Andriushchenko, N. D. Singh, N. Flammarion, and M. Hein, “Sparse-rs: A versatile framework for query-efficient sparse black-box adversarial attacks,” in AAAI, 2022, pp. 6437–6445.
  3. S. Li, G. Huang, X. Xu, Y. Yang, and F. Shen, “Accelerated sign hunter: A sign-based black-box attack via branch-prune strategy and stabilized hierarchical search,” in ICMR, 2022, pp. 462–470.
  4. Y. Bai, Y. Wang, Y. Zeng, Y. Jiang, and S. Xia, “Query efficient black-box adversarial attack on deep neural networks,” Pattern Recognit., vol. 133, p. 109037, 2023.
  5. H. Xiong, R. Wan, J. Zhao, Z. Chen, X. Li, Z. Zhu, and J. Huan, “Grod: Deep learning with gradients orthogonal decomposition for knowledge transfer, distillation, and adversarial training,” ACM Trans. Knowl. Discov. Data, vol. 16, no. 6, pp. 117:1–117:25, 2022.
  6. P. Li, Y. Zhang, L. Yuan, J. Zhao, X. Xu, and X. Zhang, “Adversarial attacks on video object segmentation with hard region discovery,” CoRR, vol. abs/2309.13857, 2023.
  7. H. Xu, Y. Ma, H. Liu, D. Deb, H. Liu, J. Tang, and A. K. Jain, “Adversarial attacks and defenses in images, graphs and text: A review,” Int. J. Autom. Comput., vol. 17, no. 2, pp. 151–178, 2020.
  8. Z. Zhang, X. Wang, G. Lu, F. Shen, and L. Zhu, “Targeted attack of deep hashing via prototype-supervised adversarial networks,” IEEE Trans. Multim., vol. 24, pp. 3392–3404, 2022.
  9. H. Yuan, Q. Chu, F. Zhu, R. Zhao, B. Liu, and N. Yu, “Automa: Towards automatic model augmentation for transferable adversarial attacks,” IEEE Trans. Multim., vol. 25, pp. 203–213, 2023.
  10. X. Tu, Z. Ma, J. Zhao, G. Du, M. Xie, and J. Feng, “Learning generalizable and identity-discriminative representations for face anti-spoofing,” ACM Trans. Intell. Syst. Technol., vol. 11, no. 5, pp. 60:1–60:19, 2020.
  11. Y. Dong, H. Su, B. Wu, Z. Li, W. Liu, T. Zhang, and J. Zhu, “Efficient decision-based black-box adversarial attacks on face recognition,” in CVPR, 2019, pp. 7714–7722.
  12. W. Wang, B. Yin, T. Yao, L. Zhang, Y. Fu, S. Ding, J. Li, F. Huang, and X. Xue, “Delving into data: Effectively substitute training for black-box attack,” in CVPR, 2021, pp. 4761–4770.
  13. X. Du and C. Pun, “Robust audio patch attacks using physical sample simulation and adversarial patch noise generation,” IEEE Trans. Multim., vol. 24, pp. 4381–4393, 2022.
  14. X. Zhang, X. Zhang, W. Liu, X. Zou, M. Sun, and J. Zhao, “Waveform level adversarial example generation for joint attacks against both automatic speaker verification and spoofing countermeasures,” Eng. Appl. Artif. Intell., vol. 116, p. 105469, 2022.
  15. A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” in ICLR, 2018.
  16. P. Chen, H. Zhang, Y. Sharma, J. Yi, and C. Hsieh, “ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models,” in AISec@CCS, 2017, pp. 15–26.
  17. S. Zhang, D. Zuo, Y. Yang, and X. Zhang, “A transferable adversarial belief attack with salient region perturbation restriction,” IEEE Trans. Multim., vol. 25, pp. 4296–4306, 2023.
  18. Y. Cheng, Q. Guo, F. Juefei-Xu, S. Lin, W. Feng, W. Lin, and Y. Liu, “Pasadena: Perceptually aware and stealthy adversarial denoise attack,” IEEE Trans. Multim., vol. 24, pp. 3807–3822, 2022.
  19. H. M. Dolatabadi, S. M. Erfani, and C. Leckie, “Advflow: Inconspicuous black-box adversarial attacks using normalizing flows,” in NeurIPS, 2020.
  20. Y. Li, L. Li, L. Wang, T. Zhang, and B. Gong, “NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks,” in ICML, vol. 97, 2019, pp. 3866–3876.
  21. W. Brendel, J. Rauber, and M. Bethge, “Decision-based adversarial attacks: Reliable attacks against black-box machine learning models,” in ICLR, 2018.
  22. C. Guo, J. R. Gardner, Y. You, A. G. Wilson, and K. Q. Weinberger, “Simple black-box adversarial attacks,” in ICML, vol. 97, 2019, pp. 2484–2493.
  23. K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” in CVPR, 2016, pp. 770–778.
  24. J. Deng, W. Dong, R. Socher, L. Li, K. Li, and L. Fei-Fei, “Imagenet: A large-scale hierarchical image database,” in CVPR, 2009, pp. 248–255.
  25. M. Jaderberg, K. Simonyan, A. Zisserman, and K. Kavukcuoglu, “Spatial transformer networks,” in NeurIPS, 2015, pp. 2017–2025.
  26. C. Xiao, J. Zhu, B. Li, W. He, M. Liu, and D. Song, “Spatially transformed adversarial examples,” in ICLR, 2018.
  27. Y. Zhang, W. Ruan, F. Wang, and X. Huang, “Generalizing universal adversarial attacks beyond additive perturbations,” in ICDM, 2020, pp. 1412–1417.
  28. A. Aydin, D. Sen, B. T. Karli, O. Hanoglu, and A. Temizel, “Imperceptible adversarial examples by spatial chroma-shift,” in ADVM, 2021, pp. 8–14.
  29. R. Liu, X. Jin, D. Hu, J. Zhang, Y. Wang, J. Zhang, and W. Zhou, “Dualflow: Generating imperceptible adversarial examples by flow field and normalize flow-based model,” Frontiers Neurorobotics, vol. 17, 2023.
  30. D. P. Kingma and P. Dhariwal, “Glow: Generative flow with invertible 1x1 convolutions,” in NeurIPS, 2018, pp. 10 236–10 245.
  31. A. Ilyas, L. Engstrom, A. Athalye, and J. Lin, “Black-box adversarial attacks with limited queries and information,” in ICML, vol. 80, 2018, pp. 2142–2151.
  32. A. Ilyas, L. Engstrom, and A. Madry, “Prior convictions: Black-box adversarial attacks with bandits and priors,” in ICLR, 2019.
  33. M. Cheng, S. Singh, P. H. Chen, P. Chen, S. Liu, and C. Hsieh, “Sign-opt: A query-efficient hard-label adversarial attack,” in ICLR, 2020.
  34. C. Ma, L. Chen, and J. Yong, “Simulating unknown target models for query-efficient black-box attacks,” in CVPR, 2021, pp. 11 835–11 844.
  35. F. Suya, Y. Tian, D. Evans, and P. Papotti, “Query-limited black-box attacks to classifiers,” CoRR, vol. abs/1712.08713, 2017.
  36. F. Suya, J. Chi, D. Evans, and Y. Tian, “Hybrid batch attacks: Finding black-box adversarial examples with limited queries,” in USENIX Security, 2020, pp. 1327–1344.
  37. L. Gao, Z. Huang, J. Song, Y. Yang, and H. T. Shen, “Push & pull: Transferable adversarial examples with attentive attack,” IEEE Trans. Multim., vol. 24, pp. 2329–2338, 2022.
  38. H. Li, X. Xu, X. Zhang, S. Yang, and B. Li, “QEBA: query-efficient boundary-based blackbox attack,” in CVPR, 2020, pp. 1218–1227.
  39. Y. Dong, S. Cheng, T. Pang, H. Su, and J. Zhu, “Query-efficient black-box adversarial attacks guided by a transfer-based prior,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 44, no. 12, pp. 9536–9548, 2022.
  40. Y. Feng, B. Wu, Y. Fan, L. Liu, Z. Li, and S. Xia, “Boosting black-box attack with partially transferred conditional adversarial distribution,” in CVPR, 2022, pp. 15 074–15 083.
  41. F. Yin, Y. Zhang, B. Wu, Y. Feng, J. Zhang, Y. Fan, and Y. Yang, “Generalizable black-box adversarial attack with meta learning,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 46, no. 3, pp. 1804–1818, 2024.
  42. A. Krizhevsky and G. Hinton, “Learning multiple layers of features from tiny images,” Computer Science Department, University of Toronto, Tech. Rep, vol. 1, 01 2009.
  43. A. Coates, A. Y. Ng, and H. Lee, “An analysis of single-layer networks in unsupervised feature learning,” in AISTATS, vol. 15, 2011, pp. 215–223.
  44. C. Xie, J. Wang, Z. Zhang, Z. Ren, and A. L. Yuille, “Mitigating adversarial effects through randomization,” in ICLR, 2018.
  45. Y. Dong, F. Liao, T. Pang, H. Su, J. Zhu, X. Hu, and J. Li, “Boosting adversarial attacks with momentum,” in CVPR, 2018.
  46. W. Peng, R. Liu, R. Wang, T. Cheng, Z. Wu, L. Cai, and W. Zhou, “Ensemblefool: A method to generate adversarial examples based on model fusion strategy,” Comput. Secur., vol. 107, p. 102317, 2021.
  47. R. Liu, J. Zhang, H. Li, J. Zhang, Y. Wang, and W. Zhou, “AFLOW: developing adversarial examples under extremely noise-limited settings,” in ICICS, vol. 14252, 2023, pp. 502–518.
  48. K. Simonyan and A. Zisserman, “Very deep convolutional networks for large-scale image recognition,” in ICLR, 2015.
  49. M. Sandler, A. G. Howard, M. Zhu, A. Zhmoginov, and L. Chen, “Mobilenetv2: Inverted residuals and linear bottlenecks,” in CVPR, 2018, pp. 4510–4520.
  50. N. Ma, X. Zhang, H. Zheng, and J. Sun, “Shufflenet V2: practical guidelines for efficient CNN architecture design,” in ECCV, vol. 11218, 2018, pp. 122–138.
  51. G. Huang, Z. Liu, L. van der Maaten, and K. Q. Weinberger, “Densely connected convolutional networks,” in CVPR, 2017, pp. 2261–2269.
  52. V. Sehwag, S. Wang, P. Mittal, and S. Jana, “HYDRA: pruning adversarially robust neural networks,” in NeurIPS, 2020.
  53. Y. Wang, D. Zou, J. Yi, J. Bailey, X. Ma, and Q. Gu, “Improving adversarial robustness requires revisiting misclassified examples,” in ICLR, 2020.
  54. H. Zhang, Y. Yu, J. Jiao, E. P. Xing, L. E. Ghaoui, and M. I. Jordan, “Theoretically principled trade-off between robustness and accuracy,” in ICML, vol. 97, 2019, pp. 7472–7482.
  55. E. Wong, L. Rice, and J. Z. Kolter, “Fast is better than free: Revisiting adversarial training,” in ICLR, 2020.
  56. T. Pang, M. Lin, X. Yang, J. Zhu, and S. Yan, “Robustness and accuracy could be reconcilable by (proper) definition,” in ICML, vol. 162, 2022, pp. 17 258–17 277.
  57. S. Addepalli, S. Jain, and V. B. R., “Efficient and effective augmentation strategy for adversarial training,” in NeurIPS, 2022.
  58. V. Sehwag, S. Mahloujifar, T. Handina, S. Dai, C. Xiang, M. Chiang, and P. Mittal, “Robust learning meets generative models: Can proxy distributions improve adversarial robustness?” in ICLR, 2022.
  59. J. Cui, S. Liu, L. Wang, and J. Jia, “Learnable boundary guided adversarial training,” in ICCV, 2021, pp. 15 701–15 710.
  60. A. Shafahi, M. Najibi, A. Ghiasi, Z. Xu, J. P. Dickerson, C. Studer, L. S. Davis, G. Taylor, and T. Goldstein, “Adversarial training for free!” in NeurIPS, 2019, pp. 3353–3364.
  61. H. Salman, A. Ilyas, L. Engstrom, A. Kapoor, and A. Madry, “Do adversarially robust imagenet models transfer better?” in NeurIPS, 2020.
  62. L. Engstrom, A. Ilyas, S. Santurkar, D. Tsipras, B. Tran, and A. Madry, “Adversarial robustness as a prior for learned representations,” arXiv, 2019.
  63. F. Croce, M. Andriushchenko, V. Sehwag, E. Debenedetti, N. Flammarion, M. Chiang, P. Mittal, and M. Hein, “Robustbench: a standardized adversarial robustness benchmark,” in NeurIPS, 2021.
  64. R. Zhang, P. Isola, A. A. Efros, E. Shechtman, and O. Wang, “The unreasonable effectiveness of deep features as a perceptual metric,” in CVPR, 2018, pp. 586–595.
  65. K. Ding, K. Ma, S. Wang, and E. P. Simoncelli, “Image quality assessment: Unifying structure and texture similarity,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 44, no. 5, pp. 2567–2581, 2022.
  66. E. C. Larson and D. M. Chandler, “Most apparent distortion: full-reference image quality assessment and the role of strategy,” J. Electronic Imaging, vol. 19, no. 1, p. 011006, 2010.
  67. A. Mittal, A. K. Moorthy, and A. C. Bovik, “No-reference image quality assessment in the spatial domain,” IEEE Trans. Image Process., vol. 21, no. 12, pp. 4695–4708, 2012.
  68. M. Heusel, H. Ramsauer, T. Unterthiner, B. Nessler, and S. Hochreiter, “Gans trained by a two time-scale update rule converge to a local nash equilibrium,” in NeurIPS, 2017, pp. 6626–6637.
  69. Z. Wang, A. C. Bovik, H. R. Sheikh, and E. P. Simoncelli, “Image quality assessment: from error visibility to structural similarity,” IEEE Trans. Image Process., vol. 13, no. 4, pp. 600–612, 2004.
  70. Y. Han, Y. Cai, Y. Cao, and X. Xu, “A new image fusion performance metric based on visual information fidelity,” Information Fusion, vol. 14, no. 2, pp. 127–135, 2013.
  71. L. Zhang, L. Zhang, X. Mou, and D. Zhang, “Fsim: A feature similarity index for image quality assessment,” IEEE Trans. Image Process., vol. 20, no. 8, pp. 2378–2386, 2011.
  72. P. Zhao, P. Chen, S. Wang, and X. Lin, “Towards query-efficient black-box adversary with zeroth-order natural gradient descent,” in AAAI, 2020, pp. 6909–6916.
  73. A. Kurakin, I. J. Goodfellow, and S. Bengio, “Adversarial examples in the physical world,” in ICLR, 2017.
  74. R. Duan, Y. Chen, D. Niu, Y. Yang, A. K. Qin, and Y. He, “Advdrop: Adversarial attack to dnns by dropping information,” in ICCV, 2021, pp. 7486–7495.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets