Finding Optimal Tangent Points for Reducing Distortions of Hard-label Attacks

TL;DR

This paper introduces Tangent Attack, a geometric approach for black-box hard-label adversarial attacks that reduces query complexity and distortion by identifying optimal tangent points on decision boundaries, with proven theoretical guarantees and practical effectiveness.

Contribution

It proposes a novel tangent-based method for hard-label attacks, improving efficiency and distortion reduction without requiring pre-training.

Findings

Achieves low distortion with fewer queries on ImageNet and CIFAR-10.

Theoretically guarantees minimal distortion via tangent points.

Effective on curved decision boundaries using semi-ellipsoids.

Abstract

One major problem in black-box adversarial attacks is the high query complexity in the hard-label attack setting, where only the top-1 predicted label is available. In this paper, we propose a novel geometric-based approach called Tangent Attack (TA), which identifies an optimal tangent point of a virtual hemisphere located on the decision boundary to reduce the distortion of the attack. Assuming the decision boundary is locally flat, we theoretically prove that the minimum $\ell_2$ distortion can be obtained by reaching the decision boundary along the tangent line passing through such tangent point in each iteration. To improve the robustness of our method, we further propose a generalized method which replaces the hemisphere with a semi-ellipsoid to adapt to curved decision boundaries. Our approach is free of pre-training. Extensive experiments conducted on the ImageNet and CIFAR-10 datasets demonstrate that our approach can consume only a small number of queries to achieve the low-magnitude distortion. The implementation source code is released online at https://github.com/machanic/TangentAttack.