CGBA: Curvature-aware Geometric Black-box Attack

TL;DR

This paper introduces CGBA, a query-efficient, curvature-aware black-box attack method that effectively crafts adversarial examples by exploring boundary points along semicircular paths, especially exploiting low curvature regions.

Contribution

The paper proposes a novel curvature-aware geometric attack method (CGBA) and its targeted variant CGBA-H, improving query efficiency and success rate over existing decision-based black-box attacks.

Findings

CGBA outperforms state-of-the-art non-targeted attacks on ImageNet and CIFAR10.

CGBA-H effectively enhances targeted attack success with fewer queries.

The methods are particularly efficient on low-curvature decision boundaries.

Abstract

Decision-based black-box attacks often necessitate a large number of queries to craft an adversarial example. Moreover, decision-based attacks based on querying boundary points in the estimated normal vector direction often suffer from inefficiency and convergence issues. In this paper, we propose a novel query-efficient curvature-aware geometric decision-based black-box attack (CGBA) that conducts boundary search along a semicircular path on a restricted 2D plane to ensure finding a boundary point successfully irrespective of the boundary curvature. While the proposed CGBA attack can work effectively for an arbitrary decision boundary, it is particularly efficient in exploiting the low curvature to craft high-quality adversarial examples, which is widely seen and experimentally verified in commonly used classifiers under non-targeted attacks. In contrast, the decision boundaries often exhibit higher curvature under targeted attacks. Thus, we develop a new query-efficient variant, CGBA-H, that is adapted for the targeted attack. In addition, we further design an algorithm to obtain a better initial boundary point at the expense of some extra queries, which considerably enhances the performance of the targeted attack. Extensive experiments are conducted to evaluate the performance of our proposed methods against some well-known classifiers on the ImageNet and CIFAR10 datasets, demonstrating the superiority of CGBA and CGBA-H over state-of-the-art non-targeted and targeted attacks, respectively. The source code is available at https://github.com/Farhamdur/CGBA.