Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Efficient Black-box Adversarial Attacks via Bayesian Optimization Guided by a Function Prior (2405.19098v1)

Published 29 May 2024 in cs.LG, cs.AI, cs.CR, cs.CV, and stat.ML

Abstract: This paper studies the challenging black-box adversarial attack that aims to generate adversarial examples against a black-box model by only using output feedback of the model to input queries. Some previous methods improve the query efficiency by incorporating the gradient of a surrogate white-box model into query-based attacks due to the adversarial transferability. However, the localized gradient is not informative enough, making these methods still query-intensive. In this paper, we propose a Prior-guided Bayesian Optimization (P-BO) algorithm that leverages the surrogate model as a global function prior in black-box adversarial attacks. As the surrogate model contains rich prior information of the black-box one, P-BO models the attack objective with a Gaussian process whose mean function is initialized as the surrogate model's loss. Our theoretical analysis on the regret bound indicates that the performance of P-BO may be affected by a bad prior. Therefore, we further propose an adaptive integration strategy to automatically adjust a coefficient on the function prior by minimizing the regret bound. Extensive experiments on image classifiers and large vision-LLMs demonstrate the superiority of the proposed algorithm in reducing queries and improving attack success rates compared with the state-of-the-art black-box attacks. Code is available at https://github.com/yibo-miao/PBO-Attack.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (101)
  1. Sign bits are all you need for black-box attacks. In International Conference on Learning Representations, 2020.
  2. Genattack: Practical black-box attacks with gradient-free optimization. In Proceedings of the Genetic and Evolutionary Computation Conference, pp.  1111–1119, 2019.
  3. Square attack: a query-efficient black-box adversarial attack via random search. In Proceedings of the European Conference on Computer Vision, pp.  484–501, 2020.
  4. Query efficient black-box adversarial attack on deep neural networks. Pattern Recognition, 133:109037, 2023.
  5. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. In International Conference on Learning Representations, 2018.
  6. Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy, pp.  39–57, 2017.
  7. Zoo: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In ACM Workshop on Artificial Intelligence and Security, pp.  15–26, 2017.
  8. Improving black-box adversarial attacks with a transfer-based prior. In Advances in Neural Information Processing Systems, pp.  10934–10944, 2019.
  9. On the convergence of prior-guided zeroth-order optimization algorithms. In Advances in Neural Information Processing Systems, pp.  14620–14631, 2021.
  10. Instructblip: Towards general-purpose vision-language models with instruction tuning. In Advances in Neural Information Processing Systems, pp.  49250–49267, 2023.
  11. Boosting adversarial attacks with momentum. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp.  9185–9193, 2018.
  12. Evading defenses to transferable adversarial examples by translation-invariant attacks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  4312–4321, 2019.
  13. Benchmarking adversarial robustness on image classification. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  321–331, 2020.
  14. Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence, 44(12):9536–9548, 2022.
  15. How robust is google’s bard to adversarial image attacks? In R0-FoMo: Robustness of Few-shot and Zero-shot Learning in Large Foundation Models, 2023.
  16. An image is worth 16x16 words: Transformers for image recognition at scale. In International Conference on Learning Representations, 2021.
  17. Query-efficient meta attack to deep neural networks. In International Conference on Learning Representations, 2020.
  18. Optimal rates for zero-order convex optimization: The power of two function evaluations. IEEE Transactions on Information Theory, 61(5):2788–2806, 2015.
  19. Boosting black-box attack with partially transferred conditional adversarial distribution. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  15095–15104, 2022.
  20. Scalable meta-learning for bayesian optimization using ranking-weighted gaussian process ensembles. In AutoML Workshop at ICML, 2018.
  21. Frazier, P. I. A tutorial on bayesian optimization. arXiv preprint arXiv:1807.02811, 2018.
  22. Stochastic first-and zeroth-order methods for nonconvex stochastic programming. SIAM Journal on Optimization, 23(4):2341–2368, 2013.
  23. Google vizier: A service for black-box optimization. In Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp.  1487–1495, 2017.
  24. Explaining and harnessing adversarial examples. In International Conference on Learning Representations, 2015.
  25. Simple black-box adversarial attacks. In International Conference on Machine Learning, pp.  2484–2493, 2019a.
  26. Subspace attack: Exploiting promising subspaces for query-efficient black-box attacks. In Advances in Neural Information Processing Systems, pp.  3825–3834, 2019b.
  27. Deep residual learning for image recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp.  770–778, 2016a.
  28. Identity mappings in deep residual networks. In Proceedings of the European Conference on Computer Vision, pp.  630–645, 2016b.
  29. Predictive entropy search for efficient global optimization of black-box functions. In Advances in Neural Information Processing Systems, pp.  918–926, 2014.
  30. Squeeze-and-excitation networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp.  7132–7141, 2018.
  31. Densely connected convolutional networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp.  4700–4708, 2017.
  32. Black-box adversarial attack with transferable model-based embedding. In International Conference on Learning Representations, 2020.
  33. Corrattack: Black-box adversarial attack with structured search. arXiv preprint arXiv:2010.01250, 2020.
  34. π𝜋\piitalic_πBO: Augmenting acquisition functions with user beliefs for bayesian optimization. In International Conference of Learning Representations, 2022.
  35. Black-box adversarial attacks with limited queries and information. In International Conference on Machine Learning, pp.  2137–2146, 2018.
  36. Prior convictions: Black-box adversarial attacks with bandits and priors. In International Conference on Learning Representations, 2019.
  37. Jones, D. R. A taxonomy of global optimization methods based on response surfaces. Journal of global optimization, 21:345–383, 2001.
  38. Efficient global optimization of expensive black-box functions. Journal of Global optimization, 13:455–492, 1998.
  39. Gaussian processes and kernel methods: A review on connections and equivalences. arXiv preprint arXiv:1807.02582, 2018.
  40. Learning multiple layers of features from tiny images. Technical report, University of Toronto, 2009.
  41. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533, 2016.
  42. Query-efficient and scalable black-box adversarial attacks on discrete sequential data via bayesian optimization. In International Conference on Machine Learning, pp.  12478–12497, 2022.
  43. Query-efficient black-box red teaming via bayesian optimization. In Proceedings of Annual Meeting of the Association for Computational Linguistics, pp.  11551–11574, 2023.
  44. Accelerating experimental design by incorporating experimenter hunches. In IEEE International Conference on Data Mining, pp.  257–266, 2018.
  45. Incorporating expert prior knowledge into experimental design via posterior sampling. arXiv preprint arXiv:2002.11256, 2020a.
  46. Bayesian evolutionary optimization for crafting high-quality adversarial examples with limited query budget. Applied Soft Computing, 142:110370, 2023.
  47. Projection & probability-driven black-box attack. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  362–371, 2020b.
  48. Nattack: Learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In International Conference on Machine Learning, pp.  3866–3876, 2019.
  49. Parallel rectangle flip attack: A query-based black-box attack against object detection. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pp.  7677–7687, 2021.
  50. Nesterov accelerated gradient and scale invariance for adversarial attacks. In International Conference on Learning Representations, 2020.
  51. Microsoft coco: Common objects in context. In Proceedings of the European Conference on Computer Vision, pp.  740–755, 2014.
  52. Delving into transferable adversarial examples and black-box attacks. In International Conference on Learning Representations, 2017.
  53. Swin transformer: Hierarchical vision transformer using shifted windows. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pp.  10012–10022, 2021.
  54. Attacking deep networks with surrogate-based adversarial black-box methods is easy. In International Conference on Learning Representations, 2022.
  55. Switching transferable gradient directions for query-efficient black-box adversarial attacks. arXiv preprint arXiv:2009.07191, 2020.
  56. Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations, 2018.
  57. Isometric 3d adversarial examples in the physical world. In Advances in Neural Information Processing Systems, pp.  19716–19731, 2022.
  58. Močkus, J. On bayesian methods for seeking the extremum. In Optimization Techniques IFIP Technical Conference, pp.  400–404, 1975.
  59. Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In Advances in Neural Information Processing Systems, pp.  15871–15884, 2020.
  60. Random gradient-free minimization of convex functions. Foundations of Computational Mathematics, 17(2):527–566, 2017.
  61. Practical black-box attacks on deep neural networks using efficient query mechanisms. In Proceedings of the European Conference on Computer Vision, pp.  154–169, 2018.
  62. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277, 2016.
  63. Practical black-box attacks against machine learning. In Proceedings of ACM on Asia Conference on Computer and Communications Security, pp.  506–519, 2017.
  64. Multi-information source optimization. In Advances in Neural Information Processing Systems, pp.  4291–4301, 2017.
  65. Learning transferable visual models from natural language supervision. In International Conference on Machine Learning, pp.  8748–8763, 2021.
  66. Incorporating expert prior in bayesian optimisation via space warping. Knowledge-Based Systems, 195:105663, 2020.
  67. Rasmussen, C. E. Gaussian processes in machine learning. In Summer School on Machine Learning, pp.  63–71, 2003.
  68. Fixing data augmentation to improve adversarial robustness. arXiv preprint arXiv:2103.01946, 2021.
  69. Overfitting in adversarially robust deep learning. In International Conference on Machine Learning, pp.  8093–8104, 2020.
  70. Bayesopt adversarial attack. In International Conference on Learning Representations, 2020.
  71. Imagenet large scale visual recognition challenge. International Journal of Computer Vision, 115(3):211–252, 2015.
  72. Mobilenetv2: Inverted residuals and linear bottlenecks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp.  4510–4520, 2018.
  73. Proxybo: Accelerating neural architecture search via bayesian optimization with zero-cost proxies. In Proceedings of the AAAI Conference on Artificial Intelligence, pp.  9792–9801, 2023.
  74. Black-box adversarial attacks with bayesian optimization. arXiv preprint arXiv:1909.13857, 2019.
  75. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556, 2014.
  76. Input warping for bayesian optimization of non-stationary functions. In International Conference on Machine Learning, pp.  1674–1682, 2014.
  77. Bayesian optimization with a prior for the optimum. In European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases, pp.  265–296, 2021.
  78. Gaussian process optimization in the bandit setting: No regret and experimental design. In International Conference on Machine Learning, pp.  1015–1022, 2010.
  79. Query-limited black-box attacks to classifiers. arXiv preprint arXiv:1712.08713, 2017.
  80. Hybrid batch attacks: Finding black-box adversarial examples with limited queries. In 29th USENIX Security Symposium, pp.  1327–1344, 2020.
  81. Multi-task bayesian optimization. In Advances in Neural Information Processing Systems, pp.  2004–2012, 2013.
  82. Intriguing properties of neural networks. In International Conference on Learning Representations, 2014.
  83. Rethinking the inception architecture for computer vision. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp.  2818–2826, 2016.
  84. Efficientnet: Rethinking model scaling for convolutional neural networks. In International Conference on Machine Learning, pp.  6105–6114, 2019.
  85. Transfer learning with gaussian processes for bayesian optimization. In International Conference on Artificial Intelligence and Statistics, pp.  6152–6181, 2022.
  86. Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In Proceedings of AAAI Conference on Artificial Intelligence, pp.  742–749, 2019.
  87. Adversarial attacks on graph classifiers via bayesian optimisation. In Advances in Neural Information Processing Systems, pp.  6983–6996, 2021.
  88. Scalable gaussian process-based transfer surrogates for hyperparameter optimization. Machine Learning, 107(1):43–78, 2018.
  89. Improving transferability of adversarial examples with input diversity. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp.  2730–2739, 2019.
  90. Aggregated residual transformations for deep neural networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp.  1492–1500, 2017.
  91. Learning black-box attackers with transferable priors and query feedback. In Advances in Neural Information Processing Systems, pp.  12288–12299, 2020.
  92. Meta-learning the search distribution of black-box random search based adversarial attacks. In Advances in Neural Information Processing Systems, pp.  30181–30195, 2021.
  93. mplug-owl: Modularization empowers large language models with multimodality. arXiv preprint arXiv:2304.14178, 2023.
  94. Generalizable black-box adversarial attack with meta learning. IEEE transactions on pattern analysis and machine intelligence, 46(3):1804–1818, 2023.
  95. Efficient transfer learning method for automatic hyperparameter tuning. In Artificial Intelligence and Statistics, pp.  1077–1085, 2014.
  96. Wide residual networks. In Proceedings of the British Machine Vision Conference, 2016.
  97. Vpgtrans: Transfer visual prompt generator across llms. In Advances in Neural Information Processing Systems, pp.  20299–20319, 2023.
  98. Theoretically principled trade-off between robustness and accuracy. In International Conference on Machine Learning, pp.  7472–7482, 2019.
  99. On the design of black-box adversarial examples by leveraging gradient-free optimization and operator splitting method. In IEEE/CVF International Conference on Computer Vision, pp.  121–130, 2019.
  100. On evaluating adversarial robustness of large vision-language models. In Advances in Neural Information Processing Systems, pp.  54111–54138, 2023.
  101. Minigpt-4: Enhancing vision-language understanding with advanced large language models. In The Twelfth International Conference on Learning Representations, 2023.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (6)
  1. Shuyu Cheng (22 papers)
  2. Yibo Miao (24 papers)
  3. Yinpeng Dong (102 papers)
  4. Xiao Yang (158 papers)
  5. Xiao-Shan Gao (57 papers)
  6. Jun Zhu (424 papers)
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now