Hard-label based small query black-box adversarial attack

Jeong Park; Niall McLaughlin; Paul Miller

doi:10.1109/WACV57701.2024.00394

Hard-label based small query black-box adversarial attack

Jeong Park^*, Niall McLaughlin, Paul Miller

^*Corresponding author for this work

School of Electronics, Electrical Engineering and Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

2 Citations (Scopus)

62 Downloads (Pure)

Abstract

We consider the hard-label based black-box adversarial attack setting which solely observes the target model’s predicted class. Most of the attack methods in this setting suffer from impractical number of queries required to achieve a successful attack. One approach to tackle this drawback is utilising the adversarial transferability between white-box surrogate models and black-box target model. However, the majority of the methods adopting this approach are soft-label based to take the full advantage of zeroth-order optimisation. Unlike mainstream methods, we propose a new practical setting of hard-label based attack with an optimisation process guided by a pre-trained surrogate model. Experiments show the proposed method significantly improves the query efficiency of the hard-label based black-box attack across various target model architectures. We find the proposed method achieves approximately 5 times higher attack success rate compared to the benchmarks, especially at the small query budgets as 100 and 250.

Original language	English
Title of host publication	IEEE/CVF Winter Conference on Applications of Computer Vision, WACV 2024: proceedings
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	3974-3983
Number of pages	10
DOIs	https://doi.org/10.1109/WACV57701.2024.00394
Publication status	Published - 09 Apr 2024
Event	IEEE/CVF Winter Conference on Applications of Computer Vision 2024 - Waikoloa, United States Duration: 04 Jan 2024 → 08 Jan 2024

Publication series

Name	IEEE/CVF Winter Conference on Applications of Computer Vision: proceedings
ISSN (Print)	2472-6737
ISSN (Electronic)	2642-9381

Conference

Conference	IEEE/CVF Winter Conference on Applications of Computer Vision 2024
Abbreviated title	IEEE/CVF WACV 2024
Country/Territory	United States
City	Waikoloa
Period	04/01/2024 → 08/01/2024

Access to Document

10.1109/WACV57701.2024.00394Licence: Unspecified

Hard-label based small query black-box adversarial attack
© 2023 IEEE. This work is made available online in accordance with the publisher’s policies. Please refer to any applicable terms of use of the publisher.
Accepted author manuscript, 578 KBLicence: Unspecified

Insight into ML security: adversarial attacks and defences in black-box settings
Park, J. (Author), Alouani, I. (Supervisor) & McLaughlin, N. (Supervisor), Dec 2024
Student thesis: Doctoral Thesis › Doctor of Philosophy

File

Cite this

Park, J., McLaughlin, N., & Miller, P. (2024). Hard-label based small query black-box adversarial attack. In IEEE/CVF Winter Conference on Applications of Computer Vision, WACV 2024: proceedings (pp. 3974-3983). (IEEE/CVF Winter Conference on Applications of Computer Vision: proceedings). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/WACV57701.2024.00394

@inproceedings{c3336734e27741f4829789701c299622,

title = "Hard-label based small query black-box adversarial attack",

abstract = "We consider the hard-label based black-box adversarial attack setting which solely observes the target model{\textquoteright}s predicted class. Most of the attack methods in this setting suffer from impractical number of queries required to achieve a successful attack. One approach to tackle this drawback is utilising the adversarial transferability between white-box surrogate models and black-box target model. However, the majority of the methods adopting this approach are soft-label based to take the full advantage of zeroth-order optimisation. Unlike mainstream methods, we propose a new practical setting of hard-label based attack with an optimisation process guided by a pre-trained surrogate model. Experiments show the proposed method significantly improves the query efficiency of the hard-label based black-box attack across various target model architectures. We find the proposed method achieves approximately 5 times higher attack success rate compared to the benchmarks, especially at the small query budgets as 100 and 250.",

author = "Jeong Park and Niall McLaughlin and Paul Miller",

year = "2024",

month = apr,

day = "9",

doi = "10.1109/WACV57701.2024.00394",

language = "English",

series = "IEEE/CVF Winter Conference on Applications of Computer Vision: proceedings",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "3974--3983",

booktitle = "IEEE/CVF Winter Conference on Applications of Computer Vision, WACV 2024: proceedings",

address = "United States",

note = "IEEE/CVF Winter Conference on Applications of Computer Vision 2024, IEEE/CVF WACV 2024 ; Conference date: 04-01-2024 Through 08-01-2024",

}

Park, J, McLaughlin, N & Miller, P 2024, Hard-label based small query black-box adversarial attack. in IEEE/CVF Winter Conference on Applications of Computer Vision, WACV 2024: proceedings. IEEE/CVF Winter Conference on Applications of Computer Vision: proceedings, Institute of Electrical and Electronics Engineers Inc., pp. 3974-3983, IEEE/CVF Winter Conference on Applications of Computer Vision 2024, Waikoloa, Hawaii, United States, 04/01/2024. https://doi.org/10.1109/WACV57701.2024.00394

Hard-label based small query black-box adversarial attack. / Park, Jeong; McLaughlin, Niall ; Miller, Paul.
IEEE/CVF Winter Conference on Applications of Computer Vision, WACV 2024: proceedings. Institute of Electrical and Electronics Engineers Inc., 2024. p. 3974-3983 (IEEE/CVF Winter Conference on Applications of Computer Vision: proceedings).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Hard-label based small query black-box adversarial attack

AU - Park, Jeong

AU - McLaughlin, Niall

AU - Miller, Paul

PY - 2024/4/9

Y1 - 2024/4/9

N2 - We consider the hard-label based black-box adversarial attack setting which solely observes the target model’s predicted class. Most of the attack methods in this setting suffer from impractical number of queries required to achieve a successful attack. One approach to tackle this drawback is utilising the adversarial transferability between white-box surrogate models and black-box target model. However, the majority of the methods adopting this approach are soft-label based to take the full advantage of zeroth-order optimisation. Unlike mainstream methods, we propose a new practical setting of hard-label based attack with an optimisation process guided by a pre-trained surrogate model. Experiments show the proposed method significantly improves the query efficiency of the hard-label based black-box attack across various target model architectures. We find the proposed method achieves approximately 5 times higher attack success rate compared to the benchmarks, especially at the small query budgets as 100 and 250.

AB - We consider the hard-label based black-box adversarial attack setting which solely observes the target model’s predicted class. Most of the attack methods in this setting suffer from impractical number of queries required to achieve a successful attack. One approach to tackle this drawback is utilising the adversarial transferability between white-box surrogate models and black-box target model. However, the majority of the methods adopting this approach are soft-label based to take the full advantage of zeroth-order optimisation. Unlike mainstream methods, we propose a new practical setting of hard-label based attack with an optimisation process guided by a pre-trained surrogate model. Experiments show the proposed method significantly improves the query efficiency of the hard-label based black-box attack across various target model architectures. We find the proposed method achieves approximately 5 times higher attack success rate compared to the benchmarks, especially at the small query budgets as 100 and 250.

U2 - 10.1109/WACV57701.2024.00394

DO - 10.1109/WACV57701.2024.00394

M3 - Conference contribution

T3 - IEEE/CVF Winter Conference on Applications of Computer Vision: proceedings

SP - 3974

EP - 3983

BT - IEEE/CVF Winter Conference on Applications of Computer Vision, WACV 2024: proceedings

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - IEEE/CVF Winter Conference on Applications of Computer Vision 2024

Y2 - 4 January 2024 through 8 January 2024

ER -

Hard-label based small query black-box adversarial attack

Abstract

Publication series

Conference

Access to Document

Fingerprint

Student theses

Insight into ML security: adversarial attacks and defences in black-box settings

Cite this