AdvSmo: Black-box Adversarial Attack by Smoothing Linear Structure of Texture

TL;DR

AdvSmo is a novel black-box adversarial attack method that smooths linear textures in images to generate highly transferable and evasive adversarial examples, outperforming existing methods on CIFAR-10 and Tiny-ImageNet.

Contribution

It introduces a texture smoothing approach using Gabor filters to create transferable adversarial examples without internal model information.

Findings

Achieves 9% higher success rate on CIFAR-10

Achieves 16% higher success rate on Tiny-ImageNet

Outperforms four advanced black-box attack methods

Abstract

Black-box attacks usually face two problems: poor transferability and the inability to evade the adversarial defense. To overcome these shortcomings, we create an original approach to generate adversarial examples by smoothing the linear structure of the texture in the benign image, called AdvSmo. We construct the adversarial examples without relying on any internal information to the target model and design the imperceptible-high attack success rate constraint to guide the Gabor filter to select appropriate angles and scales to smooth the linear texture from the input images to generate adversarial examples. Benefiting from the above design concept, AdvSmo will generate adversarial examples with strong transferability and solid evasiveness. Finally, compared to the four advanced black-box adversarial attack methods, for the eight target models, the results show that AdvSmo improves the average attack success rate by 9% on the CIFAR-10 and 16% on the Tiny-ImageNet dataset compared to the best of these attack methods.