A geometry-inspired decision-based attack

TL;DR

This paper introduces qFool, a decision-based attack algorithm that efficiently generates adversarial examples with fewer queries by leveraging geometric insights and low-frequency constraints, effectively fooling commercial image recognition systems.

Contribution

The paper presents a novel decision-based attack method, qFool, that significantly reduces query count and improves efficiency by incorporating geometric and low-frequency perturbation constraints.

Findings

qFool reduces query numbers compared to previous methods.

The low-frequency constraint enhances computational efficiency.

The method successfully fools commercial systems with minimal queries.

Abstract

Deep neural networks have recently achieved tremendous success in image classification. Recent studies have however shown that they are easily misled into incorrect classification decisions by adversarial examples. Adversaries can even craft attacks by querying the model in black-box settings, where no information about the model is released except its final decision. Such decision-based attacks usually require lots of queries, while real-world image recognition systems might actually restrict the number of queries. In this paper, we propose qFool, a novel decision-based attack algorithm that can generate adversarial examples using a small number of queries. The qFool method can drastically reduce the number of queries compared to previous decision-based attacks while reaching the same quality of adversarial examples. We also enhance our method by constraining adversarial perturbations in low-frequency subspace, which can make qFool even more computationally efficient. Altogether, we manage to fool commercial image recognition systems with a small number of queries, which demonstrates the actual effectiveness of our new algorithm in practice.