Prior Convictions: Black-Box Adversarial Attacks with Bandits and Priors
Andrew Ilyas, Logan Engstrom, Aleksander Madry
TL;DR
This paper introduces a unified framework for black-box adversarial attacks that leverages gradient priors and bandit optimization, significantly reducing query counts and failure rates compared to existing methods.
Contribution
It presents a novel bandit-based algorithm that incorporates gradient priors into black-box attacks, improving efficiency and success rates.
Findings
Uses 2-4 times fewer queries than state-of-the-art methods.
Fails 2-5 times less often than existing approaches.
Provides a unified framework for black-box adversarial attacks.
Abstract
We study the problem of generating adversarial examples in a black-box setting in which only loss-oracle access to a model is available. We introduce a framework that conceptually unifies much of the existing work on black-box attacks, and we demonstrate that the current state-of-the-art methods are optimal in a natural sense. Despite this optimality, we show how to improve black-box attacks by bringing a new element into the problem: gradient priors. We give a bandit optimization-based algorithm that allows us to seamlessly integrate any such priors, and we explicitly identify and incorporate two examples. The resulting methods use two to four times fewer queries and fail two to five times less often than the current state-of-the-art.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Advanced Malware Detection Techniques · Deception detection and forensic psychology