4.7 Article

Query-efficient decision-based attack via sampling distribution reshaping

PATTERN RECOGNITION (2022)

Get Full Text
Add to Collection

Journal

PATTERN RECOGNITION
Volume 129, Issue -, Pages -

Publisher

ELSEVIER SCI LTD
DOI: 10.1016/j.patcog.2022.108728

Keywords

Adversarial examples; Decision-based attack; Image classification; Normal vector estimation; Distribution reshaping

Categories

Computer Science, Artificial Intelligence Engineering, Electrical & Electronic

Funding

  1. National Science Foundation of China [61772425]
  2. Shaanxi Science Foundation for Distinguished Young Scholars [2021JC-16]
  3. Innova-tion Foundation for Doctor Dissertation of Northwestern Polytech-nical University [CX2022054]
  4. Fundamental Re-search Funds for the Central Universities

Ask authors/readers for more resources

Protocol

Community support

Reagent

Community support

This paper introduces a normal vector estimation framework SDR for high-dimensional decision-based attacks through reshaping sampling distribution, which is incorporated into a general geometric attack framework. Experimental evaluations show that SDR can achieve competitive l(p) norms, indicating its significance in enhancing attack performance.
With a limited query budget and only the final decision of a target model, how to find adversarial examples with low-magnitude distortion has attracted great attention among researchers. Recent solutions to this issue made use of the estimated normal vector at a boundary data point to search for adversarial examples. However, since the sampling independence between two sampling epochs, they still suffer from a prohibitively high query budget, which will get worse when the dimensionality of the attacked samples get increased. To push for further development, in this paper, we pay attention to a query-efficient method to estimate the normal vector for decision-based attack in high-dimensional space. Specifically, we propose a simple yet effective normal vector estimation framework for high-dimension decision-based attack via Sampling Distribution Reshaping, dubbed SDR. Next, SDR is incorporated into general geometric attack framework. Briefly, SDR leverages all the historically sampled noise to build a guiding vector, which will be used to reshape the next sampling distribution. Besides, we also extend SDR to different l(p) norms for p = {2, infinity} col and deploy low-frequency constraint to enhance the performance of SDR. Compared to peer decision-based attacks, SDR can reach the competitive l(p) norms for p = {2, infinity}, according to extensive experimental evaluations against both defended and undefended classifiers. Since the simplicity and effectiveness of SDR, we think that reshaping the sampling distribution deserves further research in future works. (C) 2022 Elsevier Ltd. All rights reserved.

Authors

I am an author on this paper
Click your name to claim this paper and add it to your profile.

Reviews

Primary Rating

4.7
Not enough ratings

Secondary Ratings

Novelty
-
Significance
-
Scientific rigor
-
Rate this paper

Recommended

No Data Available
No Data Available
Webinars Posters Questions Hubs Funding Journals Papers Connect Collections Reviewers About Us FAQs Mobile App Privacy Policy Terms of Use
© Peeref 2019-2024. All rights reserved.