Simple Black-box Adversarial Attacks

TL;DR

This paper introduces a simple, highly query-efficient black-box adversarial attack method that uses random sampling from an orthonormal basis, effective for real-world APIs like Google Cloud Vision.

Contribution

It presents a novel, simple iterative algorithm for black-box adversarial attacks that achieves unprecedented query efficiency with minimal implementation complexity.

Findings

Effective on real-world APIs like Google Cloud Vision

Achieves high query efficiency in both targeted and untargeted attacks

Requires less than 20 lines of code for implementation

Abstract

We propose an intriguingly simple method for the construction of adversarial images in the black-box setting. In constrast to the white-box scenario, constructing black-box adversarial images has the additional constraint on query budget, and efficient attacks remain an open problem to date. With only the mild assumption of continuous-valued confidence scores, our highly query-efficient algorithm utilizes the following simple iterative principle: we randomly sample a vector from a predefined orthonormal basis and either add or subtract it to the target image. Despite its simplicity, the proposed method can be used for both untargeted and targeted attacks -- resulting in previously unprecedented query efficiency in both settings. We demonstrate the efficacy and efficiency of our algorithm on several real world settings including the Google Cloud Vision API. We argue that our proposed algorithm should serve as a strong baseline for future black-box attacks, in particular because it is extremely fast and its implementation requires less than 20 lines of PyTorch code.