Art-Attack: Black-Box Adversarial Attack via Evolutionary Art

TL;DR

This paper introduces a novel black-box adversarial attack method using evolutionary art, which evolves transparent shapes to generate effective adversarial examples without gradient information, outperforming existing methods.

Contribution

The paper presents a gradient-free black-box attack leveraging evolutionary art, avoiding substitute models and gradient estimation, and demonstrates superior success rates on image classifiers.

Findings

Higher attack success rate than state-of-the-art black-box methods

Effective on multiple models trained on CIFAR-10

Parameter study shows impact of shape number and type

Abstract

Deep neural networks (DNNs) have achieved state-of-the-art performance in many tasks but have shown extreme vulnerabilities to attacks generated by adversarial examples. Many works go with a white-box attack that assumes total access to the targeted model including its architecture and gradients. A more realistic assumption is the black-box scenario where an attacker only has access to the targeted model by querying some input and observing its predicted class probabilities. Different from most prevalent black-box attacks that make use of substitute models or gradient estimation, this paper proposes a gradient-free attack by using a concept of evolutionary art to generate adversarial examples that iteratively evolves a set of overlapping transparent shapes. To evaluate the effectiveness of our proposed method, we attack three state-of-the-art image classification models trained on the CIFAR-10 dataset in a targeted manner. We conduct a parameter study outlining the impact the number and type of shapes have on the proposed attack's performance. In comparison to state-of-the-art black-box attacks, our attack is more effective at generating adversarial examples and achieves a higher attack success rate on all three baseline models.