ADBA:Approximation Decision Boundary Approach for Black-Box Adversarial Attacks

TL;DR

This paper introduces ADBA, a novel black-box adversarial attack method that efficiently distinguishes perturbation directions using an approximation of decision boundaries, significantly reducing query complexity and outperforming existing methods.

Contribution

The paper proposes the ADBA approach utilizing an approximation decision boundary to improve attack efficiency and success rate in black-box settings, with the development of the ADBA-md algorithm requiring only four queries on average.

Findings

ADBA outperforms state-of-the-art black-box attacks on multiple classifiers.

ADBA-md achieves high differentiation accuracy with only four queries.

Extensive experiments validate the effectiveness and efficiency of the proposed methods.

Abstract

Many machine learning models are susceptible to adversarial attacks, with decision-based black-box attacks representing the most critical threat in real-world applications. These attacks are extremely stealthy, generating adversarial examples using hard labels obtained from the target machine learning model. This is typically realized by optimizing perturbation directions, guided by decision boundaries identified through query-intensive exact search, significantly limiting the attack success rate. This paper introduces a novel approach using the Approximation Decision Boundary (ADB) to efficiently and accurately compare perturbation directions without precisely determining decision boundaries. The effectiveness of our ADB approach (ADBA) hinges on promptly identifying suitable ADB, ensuring reliable differentiation of all perturbation directions. For this purpose, we analyze the probability distribution of decision boundaries, confirming that using the distribution's median value as ADB can effectively distinguish different perturbation directions, giving rise to the development of the ADBA-md algorithm. ADBA-md only requires four queries on average to differentiate any pair of perturbation directions, which is highly query-efficient. Extensive experiments on six well-known image classifiers clearly demonstrate the superiority of ADBA and ADBA-md over multiple state-of-the-art black-box attacks. The source code is available at https://github.com/BUPTAIOC/ADBA.