Skip to main content

EvoBA: An Evolution Strategy as a Strong Baseline for Black-Box Adversarial Attacks

  • Conference paper
  • First Online:
Neural Information Processing (ICONIP 2021)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 13110))

Included in the following conference series:

  • 1762 Accesses

Abstract

Recent work has shown how easily white-box adversarial attacks can be applied to state-of-the-art image classifiers. However, real-life scenarios resemble more the black-box adversarial conditions, lacking transparency and usually imposing natural, hard constraints on the query budget.

We propose EvoBA (All the work is open source: https://github.com/andreiilie1/BBAttacks A full paper version is available at https://arxiv.org/abs/2107.05754), a black-box adversarial attack based on a surprisingly simple evolutionary search strategy. EvoBA is query-efficient, minimizes \(L_0\) adversarial perturbations, and does not require any form of training.

EvoBA shows efficiency and efficacy through results that are in line with much more complex state-of-the-art black-box attacks such as AutoZOOM. It is more query-efficient than SimBA, a simple and powerful baseline black-box attack, and has a similar level of complexity. Therefore, we propose it both as a new strong baseline for black-box adversarial attacks and as a fast and general tool for gaining empirical insight into how robust image classifiers are with respect to \(L_0\) adversarial perturbations.

There exist fast and reliable \(L_2\) black-box attacks, such as SimBA, and \(L_{\infty }\) black-box attacks, such as DeepSearch. We propose EvoBA as a query-efficient \(L_0\) black-box adversarial attack which, together with the aforementioned methods, can serve as a generic tool to assess the empirical robustness of image classifiers. The main advantages of such methods are that they run fast, are query-efficient, and can easily be integrated in image classifiers development pipelines.

While our attack minimises the \(L_0\) adversarial perturbation, we also report \(L_2\), and notice that we compare favorably to the state-of-the-art \(L_2\) black-box attack, AutoZOOM, and of the \(L_2\) strong baseline, SimBA.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Alzantot, M., Sharma, Y., Chakraborty, S., Zhang, H., Hsieh, C.J., Srivastava, M.B.: GenAttack: practical black-box attacks with gradient-free optimization. In: Proceedings of the Genetic and Evolutionary Comp. Conf. (GECCO’18), pp. 1111–1119 (2019)

    Google Scholar 

  2. Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples. In: Proceedings of International Conference on Machine Learning (ICML’18), pp. 274–283 (2018)

    Google Scholar 

  3. Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: IEEE Symposium on Security and Privacy (SP’17), pp. 39–57. IEEE (2017)

    Google Scholar 

  4. Chen, P.Y., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.J.: Zoo: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pp. 15–26 (2017)

    Google Scholar 

  5. Dvijotham, K., Stanforth, R., Gowal, S., Mann, T.A., Kohli, P.: A dual approach to scalable verification of deep networks. In: UAI, vol. 1, p. 3 (2018)

    Google Scholar 

  6. Eykholt, K., et al.: Robust physical-world attacks on deep learning visual classification. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 1625–1634 (2018)

    Google Scholar 

  7. Goodfellow, I., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: International Conference on Learning Representations (2015)

    Google Scholar 

  8. Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.: Simple black-box adversarial attacks. In: Proceedings of International Conference on Machine Learning, pp. 2484–2493 (2019)

    Google Scholar 

  9. Huang, X., Kwiatkowska, M., Wang, S., Wu, M.: Safety verification of deep neural networks. In: Majumdar, R., Kunčak, V. (eds.) CAV 2017. LNCS, vol. 10426, pp. 3–29. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63387-9_1

    Chapter  Google Scholar 

  10. Ilie, A., Popescu, M., Stefanescu, A.: Robustness as inherent property of datapoints. In: AISafety Workshop, IJCAI (2020)

    Google Scholar 

  11. Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: black-box adversarial attacks with bandits and priors (2018). arXiv:1807.07978

  12. LeCun, Y., et al.: LeNet-5, convolutional neural networks (2015). http://yann.lecun.com/exdb/lenet

  13. Meunier, L., Atif, J., Teytaud, O.: Yet another but more efficient black-box adversarial attack: tiling and evolution strategies (2019). arXiv:1910.02244

  14. Papernot, N., McDaniel, P., Goodfellow, I.: Transferability in machine learning: from phenomena to black-box attacks using adversarial samples (2016). arXiv:1605.07277

  15. Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z.B., Swami, A.: The limitations of deep learning in adversarial settings. In: IEEE European Symposium on Security and Privacy (EuroS&P’16), pp. 372–387. IEEE (2016)

    Google Scholar 

  16. Ruan, W., Huang, X., Kwiatkowska, M.: Reachability analysis of deep neural networks with provable guarantees (2018). arXiv:1805.02242

  17. Sharif, M., Bhagavatula, S., Bauer, L., Reiter, M.: Accessorize to a crime: real and stealthy attacks on state-of-the-art face recognition. In: Proceedings of ACM SIGSAC Conference on Computer and Communication Security (CCS’16), pp. 1528–1540 (2016)

    Google Scholar 

  18. Su, D., Zhang, H., Chen, H., Yi, J., Chen, P.Y., Gao, Y.: Is robustness the cost of accuracy? - a comprehensive study on the robustness of 18 deep image classification models. In: Proceedings of the European Conference on Computer Vision (ECCV’18), pp. 631–648 (2018)

    Google Scholar 

  19. Szegedy, C., et al.: Intriguing properties of neural networks (2013). arXiv:1312.6199

  20. Tu, C.C., et al.: AutoZOOM: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: Proceedings of the AAAI Conference, vol. 33, pp. 742–749 (2019)

    Google Scholar 

  21. Zhang, F., Chowdhury, S.P., Christakis, M.: Deepsearch: a simple and effective blackbox attack for deep neural networks. In: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 800–812 (2020)

    Google Scholar 

Download references

Acknowledgement

This work was partially supported by the Romanian Ministry of Research and Innovation UEFISCDI 401PED/2020 and PN-III-P2-2.1-PTE-2019-0820.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Andrei Ilie .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ilie, A., Popescu, M., Stefanescu, A. (2021). EvoBA: An Evolution Strategy as a Strong Baseline for Black-Box Adversarial Attacks. In: Mantoro, T., Lee, M., Ayu, M.A., Wong, K.W., Hidayanto, A.N. (eds) Neural Information Processing. ICONIP 2021. Lecture Notes in Computer Science(), vol 13110. Springer, Cham. https://doi.org/10.1007/978-3-030-92238-2_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-92238-2_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-92237-5

  • Online ISBN: 978-3-030-92238-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics