BO-DBA: Query-Efficient Decision-Based Adversarial Attacks via Bayesian Optimization

TL;DR

BO-DBA introduces a query-efficient decision-based adversarial attack leveraging Bayesian optimization to generate minimal-distortion adversarial examples with significantly fewer queries than existing methods.

Contribution

This paper extends Bayesian optimization to decision-based attacks, enabling faster and more efficient adversarial example generation using only label outputs.

Findings

BO-DBA converges within 200 queries on ImageNet classifiers.

BO-DBA requires over 75 times fewer queries than state-of-the-art DBA methods.

BO-DBA achieves similar attack success rates with less distortion.

Abstract

Decision-based attacks (DBA), wherein attackers perturb inputs to spoof learning algorithms by observing solely the output labels, are a type of severe adversarial attacks against Deep Neural Networks (DNNs) requiring minimal knowledge of attackers. State-of-the-art DBA attacks relying on zeroth-order gradient estimation require an excessive number of queries. Recently, Bayesian optimization (BO) has shown promising in reducing the number of queries in score-based attacks (SBA), in which attackers need to observe real-valued probability scores as outputs. However, extending BO to the setting of DBA is nontrivial because in DBA only output labels instead of real-valued scores, as needed by BO, are available to attackers. In this paper, we close this gap by proposing an efficient DBA attack, namely BO-DBA. Different from existing approaches, BO-DBA generates adversarial examples by searching so-called \emph{directions of perturbations}. It then formulates the problem as a BO problem that minimizes the real-valued distortion of perturbations. With the optimized perturbation generation process, BO-DBA converges much faster than the state-of-the-art DBA techniques. Experimental results on pre-trained ImageNet classifiers show that BO-DBA converges within 200 queries while the state-of-the-art DBA techniques need over 15,000 queries to achieve the same level of perturbation distortion. BO-DBA also shows similar attack success rates even as compared to BO-based SBA attacks but with less distortion.