GenAttack: Practical Black-box Attacks with Gradient-Free Optimization (1805.11090v3)

Abstract: Deep neural networks are vulnerable to adversarial examples, even in the black-box setting, where the attacker is restricted solely to query access. Existing black-box approaches to generating adversarial examples typically require a significant number of queries, either for training a substitute network or performing gradient estimation. We introduce GenAttack, a gradient-free optimization technique that uses genetic algorithms for synthesizing adversarial examples in the black-box setting. Our experiments on different datasets (MNIST, CIFAR-10, and ImageNet) show that GenAttack can successfully generate visually imperceptible adversarial examples against state-of-the-art image recognition models with orders of magnitude fewer queries than previous approaches. Against MNIST and CIFAR-10 models, GenAttack required roughly 2,126 and 2,568 times fewer queries respectively, than ZOO, the prior state-of-the-art black-box attack. In order to scale up the attack to large-scale high-dimensional ImageNet models, we perform a series of optimizations that further improve the query efficiency of our attack leading to 237 times fewer queries against the Inception-v3 model than ZOO. Furthermore, we show that GenAttack can successfully attack some state-of-the-art ImageNet defenses, including ensemble adversarial training and non-differentiable or randomized input transformations. Our results suggest that evolutionary algorithms open up a promising area of research into effective black-box attacks.

Overview of "GenAttack: Practical Black-box Attacks with Gradient-Free Optimization"

The paper "GenAttack: Practical Black-box Attacks with Gradient-Free Optimization" presents a novel approach to generating adversarial examples in black-box settings using a gradient-free optimization strategy. The technique, named GenAttack, utilizes genetic algorithms to effectively craft adversarial examples with significantly fewer queries compared to previous state-of-the-art black-box attack methods.

Key Contributions and Results

1. Genetic Algorithm-Based Approach: GenAttack employs genetic algorithms, a population-based optimization technique, which is inspired by natural selection processes. Unlike traditional gradient-based adversarial attacks, GenAttack operates without computation or approximation of gradients, thus bypassing issues related to gradient estimation and obfuscation strategies adopted by modern defenses.
2. Efficiency and Query Reduction: Through comprehensive experimentation on datasets such as MNIST, CIFAR-10, and ImageNet, GenAttack demonstrates a substantial reduction in the number of queries needed to successfully generate adversarial examples. It achieves a query reduction factor of over 2,126 times on MNIST and CIFAR-10 compared to ZOO (Zeroth Order Optimization), the previous leading method, and achieves a 237 times reduction for ImageNet models.
3. Scalability and Robustness: GenAttack successfully scales to complex datasets like ImageNet by incorporating dimensionality reduction techniques and adaptive parameter scaling, which further enhance query-efficiency. It proves capable of penetrating strong defenses such as ensemble adversarial training and non-differentiable input transformations, which typically thwart gradient-based attacks.
4. Defensive Penetration: The paper highlights GenAttack's strength in addressing modern defense techniques, achieving notable success against renowned defense strategies like ensemble adversarial training and randomized input transformations, circumventing their mechanisms by virtue of GenAttack's gradient-free nature.

Implications and Future Work

The work suggests significant implications for both the development of adversarial attacks and the design of robust defenses. GenAttack poses a challenge to current adversarial defense paradigms, particularly those reliant on inducing gradient obfuscation or requiring knowledge of model internals.

Given its effectiveness in high-dimensional settings and against robust defenses, GenAttack opens potential avenues for future research in enhancing black-box attack models while emphasizing the need for more nuanced security strategies in AI systems. The application of evolutionary algorithms in adversarial contexts hints at broader applications in optimization problems across various domains of AI. Future developments could involve exploring hybrid models that combine genetic algorithms with other optimization strategies to further refine attacks, or adapting and integrating GenAttack methodologies for testing robustness in real-time AI-driven systems such as autonomous vehicles or health-monitoring devices.

In summary, GenAttack consolidates the potential of evolutionary algorithms in generating adversarial examples efficiently in black-box settings and hints at the need for evolving defense mechanisms that can withstand these sophisticated attacks.