GenAttack: Practical Black-box Attacks with Gradient-Free Optimization

TL;DR

GenAttack introduces a gradient-free, genetic algorithm-based method for black-box adversarial attacks that significantly reduces query counts while effectively fooling state-of-the-art models and defenses.

Contribution

This paper presents GenAttack, a novel gradient-free optimization approach using genetic algorithms for efficient black-box adversarial example generation.

Findings

GenAttack requires 2,126 to 2,568 times fewer queries than ZOO on MNIST and CIFAR-10.

Achieves 237 times fewer queries on ImageNet models compared to prior methods.

Successfully attacks advanced ImageNet defenses like ensemble adversarial training.

Abstract

Deep neural networks are vulnerable to adversarial examples, even in the black-box setting, where the attacker is restricted solely to query access. Existing black-box approaches to generating adversarial examples typically require a significant number of queries, either for training a substitute network or performing gradient estimation. We introduce GenAttack, a gradient-free optimization technique that uses genetic algorithms for synthesizing adversarial examples in the black-box setting. Our experiments on different datasets (MNIST, CIFAR-10, and ImageNet) show that GenAttack can successfully generate visually imperceptible adversarial examples against state-of-the-art image recognition models with orders of magnitude fewer queries than previous approaches. Against MNIST and CIFAR-10 models, GenAttack required roughly 2,126 and 2,568 times fewer queries respectively, than ZOO, the prior state-of-the-art black-box attack. In order to scale up the attack to large-scale high-dimensional ImageNet models, we perform a series of optimizations that further improve the query efficiency of our attack leading to 237 times fewer queries against the Inception-v3 model than ZOO. Furthermore, we show that GenAttack can successfully attack some state-of-the-art ImageNet defenses, including ensemble adversarial training and non-differentiable or randomized input transformations. Our results suggest that evolutionary algorithms open up a promising area of research into effective black-box attacks.