Abstract
Recent work has shown how easily white-box adversarial attacks can be applied to state-of-the-art image classifiers. However, real-life scenarios resemble more the black-box adversarial conditions, lacking transparency and usually imposing natural, hard constraints on the query budget.
We propose EvoBA (All the work is open source: https://github.com/andreiilie1/BBAttacks A full paper version is available at https://arxiv.org/abs/2107.05754), a black-box adversarial attack based on a surprisingly simple evolutionary search strategy. EvoBA is query-efficient, minimizes \(L_0\) adversarial perturbations, and does not require any form of training.
EvoBA shows efficiency and efficacy through results that are in line with much more complex state-of-the-art black-box attacks such as AutoZOOM. It is more query-efficient than SimBA, a simple and powerful baseline black-box attack, and has a similar level of complexity. Therefore, we propose it both as a new strong baseline for black-box adversarial attacks and as a fast and general tool for gaining empirical insight into how robust image classifiers are with respect to \(L_0\) adversarial perturbations.
There exist fast and reliable \(L_2\) black-box attacks, such as SimBA, and \(L_{\infty }\) black-box attacks, such as DeepSearch. We propose EvoBA as a query-efficient \(L_0\) black-box adversarial attack which, together with the aforementioned methods, can serve as a generic tool to assess the empirical robustness of image classifiers. The main advantages of such methods are that they run fast, are query-efficient, and can easily be integrated in image classifiers development pipelines.
While our attack minimises the \(L_0\) adversarial perturbation, we also report \(L_2\), and notice that we compare favorably to the state-of-the-art \(L_2\) black-box attack, AutoZOOM, and of the \(L_2\) strong baseline, SimBA.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Alzantot, M., Sharma, Y., Chakraborty, S., Zhang, H., Hsieh, C.J., Srivastava, M.B.: GenAttack: practical black-box attacks with gradient-free optimization. In: Proceedings of the Genetic and Evolutionary Comp. Conf. (GECCO’18), pp. 1111–1119 (2019)
Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples. In: Proceedings of International Conference on Machine Learning (ICML’18), pp. 274–283 (2018)
Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: IEEE Symposium on Security and Privacy (SP’17), pp. 39–57. IEEE (2017)
Chen, P.Y., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.J.: Zoo: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pp. 15–26 (2017)
Dvijotham, K., Stanforth, R., Gowal, S., Mann, T.A., Kohli, P.: A dual approach to scalable verification of deep networks. In: UAI, vol. 1, p. 3 (2018)
Eykholt, K., et al.: Robust physical-world attacks on deep learning visual classification. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 1625–1634 (2018)
Goodfellow, I., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: International Conference on Learning Representations (2015)
Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.: Simple black-box adversarial attacks. In: Proceedings of International Conference on Machine Learning, pp. 2484–2493 (2019)
Huang, X., Kwiatkowska, M., Wang, S., Wu, M.: Safety verification of deep neural networks. In: Majumdar, R., Kunčak, V. (eds.) CAV 2017. LNCS, vol. 10426, pp. 3–29. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63387-9_1
Ilie, A., Popescu, M., Stefanescu, A.: Robustness as inherent property of datapoints. In: AISafety Workshop, IJCAI (2020)
Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: black-box adversarial attacks with bandits and priors (2018). arXiv:1807.07978
LeCun, Y., et al.: LeNet-5, convolutional neural networks (2015). http://yann.lecun.com/exdb/lenet
Meunier, L., Atif, J., Teytaud, O.: Yet another but more efficient black-box adversarial attack: tiling and evolution strategies (2019). arXiv:1910.02244
Papernot, N., McDaniel, P., Goodfellow, I.: Transferability in machine learning: from phenomena to black-box attacks using adversarial samples (2016). arXiv:1605.07277
Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z.B., Swami, A.: The limitations of deep learning in adversarial settings. In: IEEE European Symposium on Security and Privacy (EuroS&P’16), pp. 372–387. IEEE (2016)
Ruan, W., Huang, X., Kwiatkowska, M.: Reachability analysis of deep neural networks with provable guarantees (2018). arXiv:1805.02242
Sharif, M., Bhagavatula, S., Bauer, L., Reiter, M.: Accessorize to a crime: real and stealthy attacks on state-of-the-art face recognition. In: Proceedings of ACM SIGSAC Conference on Computer and Communication Security (CCS’16), pp. 1528–1540 (2016)
Su, D., Zhang, H., Chen, H., Yi, J., Chen, P.Y., Gao, Y.: Is robustness the cost of accuracy? - a comprehensive study on the robustness of 18 deep image classification models. In: Proceedings of the European Conference on Computer Vision (ECCV’18), pp. 631–648 (2018)
Szegedy, C., et al.: Intriguing properties of neural networks (2013). arXiv:1312.6199
Tu, C.C., et al.: AutoZOOM: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: Proceedings of the AAAI Conference, vol. 33, pp. 742–749 (2019)
Zhang, F., Chowdhury, S.P., Christakis, M.: Deepsearch: a simple and effective blackbox attack for deep neural networks. In: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 800–812 (2020)
Acknowledgement
This work was partially supported by the Romanian Ministry of Research and Innovation UEFISCDI 401PED/2020 and PN-III-P2-2.1-PTE-2019-0820.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Ilie, A., Popescu, M., Stefanescu, A. (2021). EvoBA: An Evolution Strategy as a Strong Baseline for Black-Box Adversarial Attacks. In: Mantoro, T., Lee, M., Ayu, M.A., Wong, K.W., Hidayanto, A.N. (eds) Neural Information Processing. ICONIP 2021. Lecture Notes in Computer Science(), vol 13110. Springer, Cham. https://doi.org/10.1007/978-3-030-92238-2_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-92238-2_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-92237-5
Online ISBN: 978-3-030-92238-2
eBook Packages: Computer ScienceComputer Science (R0)