Square Attack: a query-efficient black-box adversarial attack via random search

Andriushchenko, Maksym; Croce, Francesco; Flammarion, Nicolas; Hein, Matthias

doi:10.48550/arxiv.1912.00049

Cited by 23 publications

(49 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Another cause of poor evaluations is the lack of diversity among the attacks used, as most papers rely solely on the results given by PGD or weaker versions of it like FGSM (Goodfellow et al, 2015). Of different nature are for example two existing attacks: the white-box FAB-attack and the black-box Square Attack (Andriushchenko et al, 2019). Importantly, these methods have a limited amount of parameters which are shown to general-ize well across classifiers and datasets.…”

Section: Introductionmentioning

confidence: 99%

Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks

Croce,

Hein

2020

Preprint

Self Cite

View full text Add to dashboard Cite

The field of defense strategies against adversarial attacks has significantly grown over the last years, but progress is hampered as the evaluation of adversarial defenses is often insufficient and thus gives a wrong impression of robustness. Many promising defenses could be broken later on, making it difficult to identify the state-of-the-art. Frequent pitfalls in the evaluation are improper tuning of hyperparameters of the attacks, gradient obfuscation or masking. In this paper we first propose two extensions of the PGD-attack overcoming failures due to suboptimal step size and problems of the objective function. We then combine our novel attacks with two complementary existing ones to form a parameter-free, computationally affordable and user-independent ensemble of attacks to test adversarial robustness. We apply our ensemble to over 40 models from papers published at recent top machine learning and computer vision venues. In all except one of the cases we achieve lower robust test accuracy than reported in these papers, often by more than 10%, identifying several broken defenses.

show abstract

Section: Introductionmentioning

confidence: 99%

Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks

Croce,

Hein

2020

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Square Attack Square Attack (Andriushchenko et al 2019) is a type of score-based black-box attack. It is based on a randomized search scheme which selects localized square shaped updates at random positions.…”

Section: Discussionmentioning

confidence: 99%

Composite Adversarial Attacks

Mao¹,

Chen²,

Wang³

et al. 2020

Preprint

View full text Add to dashboard Cite

Adversarial attack is a technique for deceiving Machine Learning (ML) models, which provides a way to evaluate the adversarial robustness. In practice, attack algorithms are artificially selected and tuned by human experts to break a ML system. However, manual selection of attackers tends to be sub-optimal, leading to a mistakenly assessment of model security. In this paper, a new procedure called Composite Adversarial Attack (CAA) is proposed for automatically searching the best combination of attack algorithms and their hyperparameters from a candidate pool of 32 base attackers. We design a search space where attack policy is represented as an attacking sequence, i.e., the output of the previous attacker is used as the initialization input for successors. Multiobjective NSGA-II genetic algorithm is adopted for finding the strongest attack policy with minimum complexity. The experimental result shows CAA beats 10 top attackers on 11 diverse defenses with less elapsed time (6 × faster than Au-toAttack), and achieves the new state-of-the-art on l∞, l2 and unrestricted adversarial attacks.

show abstract

“…CW attack finds adversarial examples using CW losses instead of cross-entropy losses. Recently, Croce & Hein (2020) proposed autoattack (AA), which is a powerful ensemble attack with two extensions of the PGD attack and two existing attacks Andriushchenko et al, 2019). To defend against these adversarial attacks, various adversarial defense methods have been developed (Goodfellow et al, 2014;Kannan et al, 2018).…”

Section: Related Studiesmentioning

confidence: 99%

“…In particular, from the results against AA it can be seen that the effectiveness of OAT does not rely on obfuscated gradients (Athalye et al, 2018). This is because AA removes the possibility of gradient masking through the application of a combination of strong adaptive attacks and a black-box attack (Andriushchenko et al, 2019). However, while OAT brings a significant improvement in robustness against PGD attacks, it is relatively less effective against CW attacks.…”

Section: Ood Datasetsmentioning

confidence: 99%

Removing Undesirable Feature Contributions Using Out-of-Distribution Data

Lee¹,

Park²,

Lee³

et al. 2021

Preprint

View full text Add to dashboard Cite

Several data augmentation methods deploy unlabeled-in-distribution (UID) data to bridge the gap between the training and inference of neural networks. However, these methods have clear limitations in terms of availability of UID data and dependence of algorithms on pseudo-labels. Herein, we propose a data augmentation method to improve generalization in both adversarial and standard learning by using out-of-distribution (OOD) data that are devoid of the abovementioned issues. We show how to improve generalization theoretically using OOD data in each learning scenario and complement our theoretical analysis with experiments on CIFAR-10, CIFAR-100, and a subset of ImageNet. The results indicate that undesirable features are shared even among image data that seem to have little correlation from a human point of view. We also present the advantages of the proposed method through comparison with other data augmentation methods, which can be used in the absence of UID data. Furthermore, we demonstrate that the proposed method can further improve the existing state-of-the-art adversarial training.

show abstract

Square Attack: a query-efficient black-box adversarial attack via random search

Cited by 23 publications

References 26 publications

Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks

Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks

Composite Adversarial Attacks

Removing Undesirable Feature Contributions Using Out-of-Distribution Data

Contact Info

Product

Resources

About