Unrestricted Black-box Adversarial Attack Using GAN with Limited Queries

TL;DR

This paper introduces Latent-HSJA, a novel GAN-based black-box adversarial attack method that efficiently generates unrestricted adversarial examples with limited queries, demonstrating effectiveness on facial recognition and celebrity recognition systems.

Contribution

The paper presents a new decision-based attack in the latent space using GANs, enabling efficient black-box unrestricted adversarial attacks with limited queries.

Findings

Effective attack on facial identity recognition with 307 identities

Successful attack on a real-world celebrity recognition service

Query-efficient generation of adversarial examples

Abstract

Adversarial examples are inputs intentionally generated for fooling a deep neural network. Recent studies have proposed unrestricted adversarial attacks that are not norm-constrained. However, the previous unrestricted attack methods still have limitations to fool real-world applications in a black-box setting. In this paper, we present a novel method for generating unrestricted adversarial examples using GAN where an attacker can only access the top-1 final decision of a classification model. Our method, Latent-HSJA, efficiently leverages the advantages of a decision-based attack in the latent space and successfully manipulates the latent vectors for fooling the classification model. With extensive experiments, we demonstrate that our proposed method is efficient in evaluating the robustness of classification models with limited queries in a black-box setting. First, we demonstrate that our targeted attack method is query-efficient to produce unrestricted adversarial examples for a facial identity recognition model that contains 307 identities. Then, we demonstrate that the proposed method can also successfully attack a real-world celebrity recognition service.