Decision-BADGE: Decision-based Adversarial Batch Attack with Directional Gradient Estimation

TL;DR

Decision-BADGE introduces a new decision-based black-box attack method that efficiently crafts universal adversarial perturbations by estimating gradient directions, outperforming existing methods in success rate and speed.

Contribution

It presents a novel gradient estimation technique for decision-based attacks, enabling effective universal adversarial perturbations in black-box scenarios.

Findings

Outperforms existing attack methods in success rate

Requires less training time than previous approaches

Successfully targets specific classes and generalizes to unseen models

Abstract

The susceptibility of deep neural networks (DNNs) to adversarial examples has prompted an increase in the deployment of adversarial attacks. Image-agnostic universal adversarial perturbations (UAPs) are much more threatening, but many limitations exist to implementing UAPs in real-world scenarios where only binary decisions are returned. In this research, we propose Decision-BADGE, a novel method to craft universal adversarial perturbations for executing decision-based black-box attacks. To optimize perturbation with decisions, we addressed two challenges, namely the magnitude and the direction of the gradient. First, we use batch loss, differences from distributions of ground truth, and accumulating decisions in batches to determine the magnitude of the gradient. This magnitude is applied in the direction of the revised simultaneous perturbation stochastic approximation (SPSA) to update the perturbation. This simple yet efficient method can be easily extended to score-based attacks as well as targeted attacks. Experimental validation across multiple victim models demonstrates that the Decision-BADGE outperforms existing attack methods, even image-specific and score-based attacks. In particular, our proposed method shows a superior success rate with less training time. The research also shows that Decision-BADGE can successfully deceive unseen victim models and accurately target specific classes.