Simple Black-box Adversarial Attacks (1905.07121v2)

Abstract: We propose an intriguingly simple method for the construction of adversarial images in the black-box setting. In constrast to the white-box scenario, constructing black-box adversarial images has the additional constraint on query budget, and efficient attacks remain an open problem to date. With only the mild assumption of continuous-valued confidence scores, our highly query-efficient algorithm utilizes the following simple iterative principle: we randomly sample a vector from a predefined orthonormal basis and either add or subtract it to the target image. Despite its simplicity, the proposed method can be used for both untargeted and targeted attacks -- resulting in previously unprecedented query efficiency in both settings. We demonstrate the efficacy and efficiency of our algorithm on several real world settings including the Google Cloud Vision API. We argue that our proposed algorithm should serve as a strong baseline for future black-box attacks, in particular because it is extremely fast and its implementation requires less than 20 lines of PyTorch code.

• The paper presents SimBA, a method that achieves query efficiency in black-box settings by using as few as 1.4 queries per update.
• It employs random direction sampling with Cartesian and DCT bases to reduce correct class confidence, achieving nearly 100% success on ImageNet.
• The findings underscore a paradigm shift in adversarial strategies and highlight the urgent need for robust defenses in real-world ML applications.

Overview of "Simple Black-box Adversarial Attacks"

The paper "Simple Black-box Adversarial Attacks" presents an efficient and minimalistic approach to constructing adversarial examples in a black-box setting. The primary contribution is a method termed Simple Black-box Attack (SimBA), which operates under the constraints inherent in limited-query scenarios, typical of black-box models. This approach emphasizes query efficiency while targeting machine learning models that output continuous confidence scores, such as those found in APIs like Google Cloud Vision.

Methodology

SimBA introduces a straightforward iterative procedure for modifying images:

1. Random Direction Sampling: The method involves sampling a vector from a predefined orthonormal basis and either adding or subtracting it from the target image. The goal is to reduce the confidence associated with the correct class prediction.
2. Query Efficiency: Contrary to complex alternatives requiring extensive querying and computation, SimBA optimizes the number of queries significantly. The paper claims it achieves unprecedented query efficiency by merely using 1.4 to 1.5 queries per update, averaging across multiple settings.
3. Basis Selection: The two primary bases explored in the paper are the standard Cartesian basis and a low-frequency Discrete Cosine Transform (DCT) basis. Each has distinct implications on attack success, with the DCT basis showing particular promise in query efficiency and image distortion minimization.

Results and Implications

Numerical Performance

The authors demonstrate SimBA's effectiveness across different datasets, including ImageNet and Google Cloud Vision:

• ImageNet Performance: When tested against state-of-the-art black-box attacks such as the QL-attack and others, SimBA showed lower average perturbation norms and fewer required queries. Notably, it achieved nearly 100% success rates in untargeted attacks using fewer than 2,000 queries on average.
• Google Cloud Vision: SimBA's 70% success rate with only 5,000 queries illustrates its real-world application potential, significantly outperforming alternatives like LFBA under API constraints.

Theoretical Considerations

The simplicity and efficacy of SimBA underscore a potential paradigm shift towards adopting minimalistic strategies in adversarial attacks, especially when faced with practical constraints such as query limits and opaque model architectures. The paper provides insights into how low-dimensional frequency spaces can be leveraged to enhance the adversarial direction's potency without requiring gradient information.

Speculation on Future Developments

SimBA's results invite further research into optimizing orthonormal basis selection and adaptive learning rates to refine adversarial attack strategies. Given SimBA's reduced computational overhead, its applicability might extend beyond image classification to domains like audio processing and reinforcement learning, where continuous feedback from black-box systems can be exploited similarly.

Moreover, the findings prompt the necessity for improved defenses against black-box attacks. The potential ease of implementing SimBA raises concerns about the vulnerability of deployed ML systems in environments lacking granular model exposure.

Conclusion

"Simple Black-box Adversarial Attacks" provides a significant contribution to adversarial machine learning, presenting a robust, efficient approach for attacking black-box models. The paper's insights into leveraging model output scores with minimal invasiveness offer a new baseline for adversarial research. The work serves as a compelling call to arms for developing robust security measures tailored to increasingly prevalent black-box settings.