Parsimonious Black-Box Adversarial Attacks via Efficient Combinatorial Optimization

TL;DR

This paper introduces a new black-box adversarial attack method that uses a discrete surrogate optimization approach, significantly reducing query complexity while maintaining high attack success rates on image classification models.

Contribution

It presents a novel discrete surrogate optimization technique for black-box adversarial attacks that eliminates the need for gradient estimation and hyperparameter tuning.

Findings

Achieves state-of-the-art attack performance on CIFAR-10 and ImageNet.

Reduces the number of queries required compared to existing methods.

Does not rely on gradient estimation, simplifying the attack process.

Abstract

Solving for adversarial examples with projected gradient descent has been demonstrated to be highly effective in fooling the neural network based classifiers. However, in the black-box setting, the attacker is limited only to the query access to the network and solving for a successful adversarial example becomes much more difficult. To this end, recent methods aim at estimating the true gradient signal based on the input queries but at the cost of excessive queries. We propose an efficient discrete surrogate to the optimization problem which does not require estimating the gradient and consequently becomes free of the first order update hyperparameters to tune. Our experiments on Cifar-10 and ImageNet show the state of the art black-box attack performance with significant reduction in the required queries compared to a number of recently proposed methods. The source code is available at https://github.com/snu-mllab/parsimonious-blackbox-attack.