EvolBA: Evolutionary Boundary Attack under Hard-label Black Box condition

TL;DR

EvolBA is a novel evolutionary algorithm-based method for generating adversarial examples under hard-label black box conditions, achieving smaller perturbations than previous approaches.

Contribution

This paper introduces EvolBA, a CMA-ES based adversarial attack method that improves exploration and effectiveness in hard-label black box scenarios.

Findings

EvolBA produces smaller perturbations than previous methods.

EvolBA effectively finds adversarial examples in challenging image cases.

The method enhances search exploration with domain-independent operators.

Abstract

Research has shown that deep neural networks (DNNs) have vulnerabilities that can lead to the misrecognition of Adversarial Examples (AEs) with specifically designed perturbations. Various adversarial attack methods have been proposed to detect vulnerabilities under hard-label black box (HL-BB) conditions in the absence of loss gradients and confidence scores.However, these methods fall into local solutions because they search only local regions of the search space. Therefore, this study proposes an adversarial attack method named EvolBA to generate AEs using Covariance Matrix Adaptation Evolution Strategy (CMA-ES) under the HL-BB condition, where only a class label predicted by the target DNN model is available. Inspired by formula-driven supervised learning, the proposed method introduces domain-independent operators for the initialization process and a jump that enhances search exploration. Experimental results confirmed that the proposed method could determine AEs with smaller perturbations than previous methods in images where the previous methods have difficulty.