MC-FGSM: Black-box Adversarial Attack for Deep Learning System

Abstract

Deep learning (DL) technology has been widely applied in the safety-critical area, for instance, autopilot system in which the misbehavior will have a huge influence. Hence the reliability of DL system should be tested thoroughly. DL reliability testing is mainly achieved via adversarial attack, however, the existing attack methods lack mathematical proof whether the convergence of the attack can be guaranteed. This paper proposes a novel adversarial attack method, i.e., Monte Carlo-Fast Gradient Sign Method (MC-FGSM) to test the DL robustness. This method does not require any knowledge of the victim DL system. Specifically, this method first approximates the gradient of the input variable via Monte Carlo sampling technique, and then the gradient-based method is applied to generate adversarial attacks. Moreover, a strict mathematical proof has shown the gradient estimation is unbiased and the time complexity is $\boldsymbol{O}(1)$, while the existing method is $\boldsymbol{O}(N)$. The effectiveness of the proposed method is demonstrated by numerical experiments. This method can work as the reliability evaluation tool of the autopilot system.