Subspace Attack: Exploiting Promising Subspaces for Query-Efficient Black-box Attacks

TL;DR

This paper introduces a black-box attack method that leverages gradients from reference models to identify promising subspaces, significantly reducing query counts while maintaining effectiveness.

Contribution

It proposes a novel subspace attack approach that exploits gradients of reference models to improve query efficiency in black-box adversarial attacks.

Findings

Achieves up to 2x reduction in mean queries

Achieves up to 4x reduction in median queries

Maintains low failure rates even with limited reference data

Abstract

Unlike the white-box counterparts that are widely studied and readily accessible, adversarial examples in black-box settings are generally more Herculean on account of the difficulty of estimating gradients. Many methods achieve the task by issuing numerous queries to target classification systems, which makes the whole procedure costly and suspicious to the systems. In this paper, we aim at reducing the query complexity of black-box attacks in this category. We propose to exploit gradients of a few reference models which arguably span some promising search subspaces. Experimental results show that, in comparison with the state-of-the-arts, our method can gain up to 2x and 4x reductions in the requisite mean and medium numbers of queries with much lower failure rates even if the reference models are trained on a small and inadequate dataset disjoint to the one for training the victim model. Code and models for reproducing our results will be made publicly available.