MF-CLIP: Leveraging CLIP as Surrogate Models for No-box Adversarial Attacks

TL;DR

This paper introduces MF-CLIP, a framework that improves the use of CLIP as a surrogate model for no-box adversarial attacks on DNNs, achieving significant performance gains over existing methods.

Contribution

The paper proposes MF-CLIP, a novel method that enhances CLIP's effectiveness as a surrogate model for no-box attacks through margin-aware feature space optimization.

Findings

MF-CLIP surpasses existing baselines by 15.23% on standard models.

Achieves a 9.52% improvement on adversarially trained models.

Demonstrates effectiveness across diverse architectures and datasets.

Abstract

The vulnerability of Deep Neural Networks (DNNs) to adversarial attacks poses a significant challenge to their deployment in safety-critical applications. While extensive research has addressed various attack scenarios, the no-box attack setting where adversaries have no prior knowledge, including access to training data of the target model, remains relatively underexplored despite its practical relevance. This work presents a systematic investigation into leveraging large-scale Vision-Language Models (VLMs), particularly CLIP, as surrogate models for executing no-box attacks. Our theoretical and empirical analyses reveal a key limitation in the execution of no-box attacks stemming from insufficient discriminative capabilities for direct application of vanilla CLIP as a surrogate model. To address this limitation, we propose MF-CLIP: a novel framework that enhances CLIP's effectiveness as a surrogate model through margin-aware feature space optimization. Comprehensive evaluations across diverse architectures and datasets demonstrate that MF-CLIP substantially advances the state-of-the-art in no-box attacks, surpassing existing baselines by 15.23% on standard models and achieving a 9.52% improvement on adversarially trained models. Our code will be made publicly available to facilitate reproducibility and future research in this direction.