Progressive-Scale Boundary Blackbox Attack via Projective Gradient Estimation

TL;DR

This paper introduces a theoretical framework and a progressive-scale boundary blackbox attack method that significantly enhances query efficiency by optimizing the scale of gradient estimation, validated across multiple datasets and models.

Contribution

It proposes a novel theoretical analysis of scale in boundary blackbox attacks and introduces PSBA-PGAN, a progressive-scale attack method that outperforms existing approaches.

Findings

Optimal scale exists for projective gradient estimation.

PSBA-PGAN achieves higher query efficiency and success rate.

Stable optimal scales observed across datasets and models.

Abstract

Boundary based blackbox attack has been recognized as practical and effective, given that an attacker only needs to access the final model prediction. However, the query efficiency of it is in general high especially for high dimensional image data. In this paper, we show that such efficiency highly depends on the scale at which the attack is applied, and attacking at the optimal scale significantly improves the efficiency. In particular, we propose a theoretical framework to analyze and show three key characteristics to improve the query efficiency. We prove that there exists an optimal scale for projective gradient estimation. Our framework also explains the satisfactory performance achieved by existing boundary black-box attacks. Based on our theoretical framework, we propose Progressive-Scale enabled projective Boundary Attack (PSBA) to improve the query efficiency via progressive scaling techniques. In particular, we employ Progressive-GAN to optimize the scale of projections, which we call PSBA-PGAN. We evaluate our approach on both spatial and frequency scales. Extensive experiments on MNIST, CIFAR-10, CelebA, and ImageNet against different models including a real-world face recognition API show that PSBA-PGAN significantly outperforms existing baseline attacks in terms of query efficiency and attack success rate. We also observe relatively stable optimal scales for different models and datasets. The code is publicly available at https://github.com/AI-secure/PSBA.