Boosting Ray Search Procedure of Hard-label Attacks with Transfer-based Priors
Chen Ma, Xinjie Xu, Shuyu Cheng, Qi Xuan
TL;DR
This paper introduces a transfer-based prior-guided method to enhance the efficiency of hard-label black-box adversarial attacks by improving gradient estimation, reducing query costs, and outperforming existing methods on standard datasets.
Contribution
It proposes a novel prior-guided gradient estimation technique that leverages transfer-based priors to improve query efficiency in hard-label attacks, with theoretical analysis and empirical validation.
Findings
Significant reduction in query counts compared to state-of-the-art methods.
Theoretical analysis confirms improved gradient estimation quality.
Empirical results on ImageNet and CIFAR-10 demonstrate superior performance.
Abstract
One of the most practical and challenging types of black-box adversarial attacks is the hard-label attack, where only the top-1 predicted label is available. One effective approach is to search for the optimal ray direction from the benign image that minimizes the -norm distance to the adversarial region. The unique advantage of this approach is that it transforms the hard-label attack into a continuous optimization problem. The objective function value is the ray's radius, which can be obtained via binary search at a high query cost. Existing methods use a "sign trick" in gradient estimation to reduce the number of queries. In this paper, we theoretically analyze the quality of this gradient estimation and propose a novel prior-guided approach to improve ray search efficiency both theoretically and empirically. Specifically, we utilize the transfer-based priors from surrogate…
Peer Reviews
Decision·ICLR 2025 Spotlight
**Originality**: The concept of using transfer priors is not entirely new, as it was demonstrated in other works e.g., Dong et al. (2022). However, this paper's novelty lies in applying them to the more practical hard-label setting, where information is limited. **Quality**: The methodology demonstrates technical soundness, particularly the idea of using transfer-based priors and then the approach to gradient approximation through closest projection on the subspace. **Clarity**: The writing
1. The main contribution of the paper seems to have limited novelty. It essentially boils down to employing Eq (7), which is similar to the Sign-OPT method but with the addition of using gradients from surrogate classifiers. 2. It seems that the results don't clearly favor one approach over another. In some cases, Prior-Sign-OPT performs well, while in others, Prior-OPT outperforms it. Lines 319-321 mention that Prior-OPT outperforms Sign-OPT under certain conditions, but these conditions are no
1. This paper proposes a gradient estimation method to conduct hard-label attack and provides proof for it. 2. The paper is well-written.
1. The paper benefit from showing the time complexity. 2. This paper is a comprehensive study based on transfer and query, hence, I hope you could compare it with the results from the paper "Blackbox Attacks via Surrogate Ensemble Search. Neurips 2022."
1. This paper proposes a surrogate function to estimate compute the transfer-based priors, which can avoid the non-differentiable issue of using binary search to learn the prior. 2. The gradient of the loss in Eq. (3) can be estimated by the projection of the true gradient onto the subspace spanned by these transfer-based priors and some random directions.
An efficiency experiment is required to show how the proposed method improves the ray search efficiency.
Videos
Taxonomy
TopicsAdvanced Malware Detection Techniques