Efficient black-box adversarial attacks via alternate query and boundary augmentation

Abstract

Most existing query-based black-box attacks use surrogate models as transferable priors to improve query efficiency. However, these methods still suffer from high query times and complexity due to the following three reasons. First, they usually use a transfer-based strategy to find a starting point, which is not conducive to fast optimization. Second, most of them exploit transferable priors in a complex way that severely constrains query efficiency. Third, their performance usually depends on the number of surrogate models and the more surrogate models, the better the performance. To this end, we propose an optimization framework based on fusion attack and boundary augmentation, which make full use of transfer prior and query feedback to achieve a more effective and efficient attack. Specifically, we first use the surrogate model to conduct a warm-up attack guided by query feedback, which provides a better starting point for fast optimization. Then, we introduce a data-augmentation-based transferable attack into query-based method for alternative query. Since the alternate attack framework can quickly find out the adversarial area of the target model, it improves the query efficiency. Finally, we design a decision boundary enhancement strategy to make the decision boundary of the model more diverse. This strategy can reduce the number of surrogate models used yet still achieve competitive performance. To validate the effectiveness of the proposed method, we conduct experiments with three victim models on the ImageNet dataset. Extensive experiment results show that our method achieves favorable performance against the state-of-the-art methods. While the proposed method gets a 100% attack success rate, the query times can be reduced by several orders of magnitude.