We propose an efficient adversarial attack method in the black-box setting. Our Multi-model Efficient Query Attack (MEQA) method takes advantage of the prior knowledge on different models’ relationship to guide the construction of black-box adversarial instances. The MEQA method employs several gradients from different white-box attack models and further the “best” one is selected to replace the gradient of black-box model in each step. The gradient composed by different model gradients will lead a significant loss to the black-box model on these adversarial pictures and then cause misclassification. Our key motivation is to estimate the black-box model with several existing white-box models, which can significantly increase the efficiency from the perspectives of both query sampling and calculating. Compared with gradient estimation based black-box adversarial attack methods, our MEQA method reduces the number of queries from 10000 to 40, which greatly accelerates the black-box adversarial attack. Compared with the zero query black-box adversarial attack method, which also called transfer attack method, MEQA boosts the attack success rate by 30%. We evaluate our method on several black-box models and achieve remarkable performance which proves that MEQA can serve as a baseline method for fast and effective black-box adversarial attacks.
CITATION STYLE
Cai, J., Wang, B., Wang, X., & Jin, B. (2019). Accelerate Black-Box Attack with White-Box Prior Knowledge. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 11936 LNCS, pp. 394–405). Springer. https://doi.org/10.1007/978-3-030-36204-1_33
Mendeley helps you to discover research relevant for your work.