2024
DOI: 10.1109/tpami.2022.3194988
|View full text |Cite
|
Sign up to set email alerts
|

Generalizable Black-Box Adversarial Attack With Meta Learning

Abstract: In the scenario of black-box adversarial attack, the target model's parameters are unknown, and the attacker aims to find a successful adversarial perturbation based on query feedback under a query budget. Due to the limited feedback information, existing query-based black-box attack methods often require many queries for attacking each benign example. To reduce query cost, we propose to utilize the feedback information across historical attacks, dubbed example-level adversarial transferability. Specifically, … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
2
1

Citation Types

0
6
0

Year Published

2024
2024
2024
2024

Publication Types

Select...
4
1
1

Relationship

0
6

Authors

Journals

citations
Cited by 11 publications
(6 citation statements)
references
References 43 publications
0
6
0
Order By: Relevance
“…We think that the potentials of further improving the score-based attack performance lie in how to shrink the gap between surrogate and target models, extracting what kinds of priors from surrogate models, and how to effectively combine surrogate priors and the query feedback returned by the target model. Besides, it is notable that the reported results in some latest works (e.g., CG-Attack [64] and MCG [222]) are very good, and the median query number even achieves 1 and the attack success rate achieves 100% at some easy cases (e.g., small data dimension, untargeted attack, target model with standard training). It gives us an impression that the performance of score-based attacks is hitting the ceiling, and there is limited room for improvement.…”
Section: Discussion Of Black-box Adversarial Attacksmentioning
confidence: 94%
See 3 more Smart Citations
“…We think that the potentials of further improving the score-based attack performance lie in how to shrink the gap between surrogate and target models, extracting what kinds of priors from surrogate models, and how to effectively combine surrogate priors and the query feedback returned by the target model. Besides, it is notable that the reported results in some latest works (e.g., CG-Attack [64] and MCG [222]) are very good, and the median query number even achieves 1 and the attack success rate achieves 100% at some easy cases (e.g., small data dimension, untargeted attack, target model with standard training). It gives us an impression that the performance of score-based attacks is hitting the ceiling, and there is limited room for improvement.…”
Section: Discussion Of Black-box Adversarial Attacksmentioning
confidence: 94%
“…The Simulator attack [131] utilized meta learning to learn a generalized simulator (i.e., surrogate model), which can be fine-tuned by the limited feedback returned by target models. Similar to CG-Attack, the meta conditional generator (MCG) method [222] also aimed to learn the conditional adversarial distribution (CAD). The main difference is that MCG proposed a meta learning framework which captures both the example-level and modellevel adversarial transferability (introduced later in Section 5.4), such that the CAD could be adjusted according to different benign examples, and the surrogate model can also be updated based on the query feedback.…”
Section: Score-based Attackmentioning
confidence: 99%
See 2 more Smart Citations
“…The objective of study [61] is to train a generalizable surrogate model, termed "Simulator," capable of emulating the behavior of an unknown target model. To mitigate the query cost, the authors of [132] suggest using feedback information obtained from past attacks, i.e., examplelevel adversarial transferability. By considering each attack on a benign example as an individual task, they construct a metalearning framework that involves training a meta-generator to produce perturbations based on specific benign examples.…”
Section: Black-box Attacksmentioning
confidence: 99%