Accelerate Black-Box Attack with White-Box Prior Knowledge

Abstract

We propose an efficient adversarial attack method in the black-box setting. Our Multi-model Efficient Query Attack (MEQA) method takes advantage of the prior knowledge on different models’ relationship to guide the construction of black-box adversarial instances. The MEQA method employs several gradients from different white-box attack models and further the “best” one is selected to replace the gradient of black-box model in each step. The gradient composed by different model gradients will lead a significant loss to the black-box model on these adversarial pictures and then cause misclassification. Our key motivation is to estimate the black-box model with several existing white-box models, which can significantly increase the efficiency from the perspectives of both query sampling and calculating. Compared with gradient estimation based black-box adversarial attack methods, our MEQA method reduces the number of queries from 10000 to 40, which greatly accelerates the black-box adversarial attack. Compared with the zero query black-box adversarial attack method, which also called transfer attack method, MEQA boosts the attack success rate by 30%. We evaluate our method on several black-box models and achieve remarkable performance which proves that MEQA can serve as a baseline method for fast and effective black-box adversarial attacks.