Sign-OPT: A Query-Efficient Hard-label Adversarial Attack
Minhao Cheng, Simranjit Singh, Patrick Chen, Pin-Yu Chen, Sijia Liu,, Cho-Jui Hsieh
TL;DR
This paper introduces Sign-OPT, a new query-efficient method for hard-label black-box adversarial attacks that significantly reduces the number of queries needed to generate adversarial examples.
Contribution
Sign-OPT estimates the gradient sign directly with a single query, improving query efficiency over existing methods in hard-label black-box attacks.
Findings
Requires 5X to 10X fewer queries than state-of-the-art methods
Achieves smaller perturbations in adversarial examples
Converges faster to successful adversarial examples
Abstract
We study the most practical problem setup for evaluating adversarial robustness of a machine learning system with limited access: the hard-label black-box attack setting for generating adversarial examples, where limited model queries are allowed and only the decision is provided to a queried data input. Several algorithms have been proposed for this problem but they typically require huge amount (>20,000) of queries for attacking one example. Among them, one of the state-of-the-art approaches (Cheng et al., 2019) showed that hard-label attack can be modeled as an optimization problem where the objective function can be evaluated by binary search with additional model queries, thereby a zeroth order optimization algorithm can be applied. In this paper, we adopt the same optimization formulation but propose to directly estimate the sign of gradient at any direction instead of the…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Domain Adaptation and Few-Shot Learning · Advanced Neural Network Applications