CBA: Black Box Attack Based on Circular Geometric Properties

doi:10.19678/j.issn.1000-3428.0070476

Abstract

Abstract: Deep Neural Networks (DNNs) are vulnerable to adversarial examples, Simply adding a small perturbation to a clean image can cause the classifier to produce a misclassification. Decision-based attacks are a class of black-box attacks that rely only on the target model to predict hard labeled outputs. It considers the target model as a black box, and the attack simply queries the results of the target model without needing access to the internal structure or parameter information of the model. This feature poses a serious threat to real-world applications. Current decision-based attack methods usually utilize gradient estimation to launch attacks near the decision boundary of the target model, but it requires high query cost and generates poor quality of adversarial examples with more serious distortion. In this paper, we find that the low-frequency information in the frequency space of an image can effectively capture important features of the image. Performing decision attack in low-frequency space not only helps to reduce the number of queries, but also generates high-quality adversarial samples. To this end, this research proposes a black-box attack method based on the geometric properties of circles, called CBA. The method utilizes the discrete cosine transform to obtain the adversarial examples in the frequency space by using the geometric properties of circles near the decision boundary in a continuous iteration. Finally, the inverse discrete cosine transform transforms them back into the input space. It avoids gradient estimation and significantly reduces the number of queries while guaranteeing the success rate of the attack. Experimental results on the ImageNet dataset show that the attack success rate of CBA for generating adversarial examples is higher than that of the latest black-box attack methods that utilize the geometric nature of the decision boundaries for query volumes of 500,1000,2000, respectively. And also, CBA has a higher attack success rate under different constraints for the same query volume. The above results show that CBA reduces the amount of queries required to generate adversarial examples and generates adversarial examples with less distortion and better image quality. In addition to this, the effectiveness of CBA was tested in a real-world model.

摘要： 深度神经网络（Deep Neural Networks, DNNs）容易受到对抗样本的攻击，仅需在干净图像中添加微小扰动就能导致分类器产生错误分类。基于决策的攻击是一类只依赖目标模型预测硬标签输出的黑盒攻击。它将目标模型视为黑匣子，攻击时只需对目标模型结果进行查询，而无需了解模型内部结构和参数信息，这种特性对现实世界的应用程序构成了严重的威胁。目前基于决策的攻击方法通常利用梯度估计在目标模型决策边界附近发动攻击，但需要高昂的查询代价且生成的对抗样本质量效果不佳，失真较为严重。本文研究发现，图像在频率空间中的低频信息能够有效表征其重要特征。在低频空间执行决策攻击，不仅有助于降低查询次数，还能生成高质量的对抗样本。为此，该研究提出一种基于圆几何性质的黑盒攻击方法，称为CBA。该方法利用离散余弦变换，将攻击位置选择在频率空间中进行，利用低频信息在其决策边界附近利用圆的几何性质不断迭代得到低频空间中的对抗样本。最后，逆离散余弦变换将其变换回输入空间。它避免了梯度估计，在保证攻击成功率的同时显著降低查询次数。在ImageNet数据集上的实验结果表明，CBA在查询量分别为500,1000,2000的情况下，生成对抗样本的攻击成功率均比最新利用决策边界的几何性质的黑盒攻击方法高。同时，CBA在相同查询量不同约束条件下，也具有更高的攻击成功率。以上结果表明，CBA减少了生成对抗样本所需的查询量，且生成的对抗样本失真更小，图像质量更佳。除此之外，还在现实世界模型中测试了CBA的有效性。

Zheng Desheng, Zheng Shuntian, Li Xiaoyu, Yin Hao, Wang Cong. CBA: Black Box Attack Based on Circular Geometric Properties[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0070476.

郑德生, 　郑舜天, 　李晓瑜, 　殷浩, 　王聪. CBA：基于圆几何性质的黑盒攻击方法[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0070476.

/ Recommend / Download Citations

URL: https://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0070476

References

[1] LIU S, LIU F, HAO Z H, et al. Unsupervised few-shot image classification by learning features into clustering space[C]//European Conference on Computer Vision. Tel-Aviv, Switzerland: IEEE, 2022: 420-436.
[2] ZHANG Z D, XUE Z Y, CHEN Y, et al. Boosting Verified Training for Robust Image Classifications via Abstraction[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Vancouver, Canada: IEEE, 2023: 16251-16260.
[3] KERR J, KIM C M, GOLDBERG K, et al. Lerf: Language embedded radiance fields[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision. Piscataway, NJ: IEEE, 2023: 19729-19739.
[4] Shen S, Zhao W L, Meng Z B, et al. Difftalk: Crafting diffusion models for generalized audio-driven portraits animation [C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2023: 1982-1991.
[5] 李哲铭,王晋东,侯建中,等. 基于显著区域优化的对抗样本攻击方法[J]. 计算机工程, 2023, 49 (09): 246-255+2 64. DOI:10.19678/j.issn.1000-3428.0065814. LI Z M, WANG J D, HOU J Z, et al. Adversarial example attack method based on significant region optimization[J]. Computer Engineering, 2023, 49 (09):246-255+264. doi:10.19678/j.issn.1000-3428.0065814.
[6] 赵宏,宋馥荣,李文改. 基于SE-AdvGAN的图像对抗样本生成方法研究[J/OL]. 计算机工程, 1-13[2024-10-11]. https://doi.org/10.19678/j.issn.1000-3428.0068481. Z H, SONG F R, Li W G. Research on image adver -sarial example generation method based on SE-AdvGAN[J/OL]. Computer Engineering, 1-13[2024-10-11]. https://doi.org/10.19678/j.issn.1000-3428.0068481.
[7] 黄震. 基于模型检测的自动驾驶领域安全攸关对抗样本识别方法[D]. 上海: 华东师范大学, 2023: 44-47. HUANG Z. A model checking based approach to detect safety-critical adversarial examples on autonomous driving systems[D]. Shanghai: East China Normal University, 2023: 44-47.
[8] 蔺琛皓, 沈超, 邓静怡, 等. 虚假数字人脸内容生成与检测技术[J]. 计算机学报, 2023, 46(3): 469-498. LIN C H, SHEN C, DENG J Y, et al. Digitally forged face content creation and detection[J]. Journal of Computing, 2023, 46(3): 469-498.
[9] MAHO T, FURON T, LE MERRER E. Surfree: a fast surrogate-free black-box attack[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2021: 10430-10439.
[10] WANG X S, ZHANG Z L, TONG K H, et al. Triangle: A query-efficient decision-based adversarial attack [C]//European Conference on Computer Vision. Berlin: Springer, 2022: 156-174.
[11] AHMED N, NATARAJAN T, Rao K R. Discrete cosine transform[J]. IEEE transactions on Computers, 1974, 100(1): 90-93.
[12] RAHMATI A, MOOSAVI-DEZFOOLI S M, FROSSARD P, et al. Geoda: a geometric framework for black-box adver- sarial attacks[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2020: 8446-8455.
[13] SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intrigu- ing properties of neural networks[C]//International Confer- ence on Learning Representations. Washington DC: ICLR, 2014: 1-12.
[14] BRENDEL W, RAUBER J, BETHGE M. Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models[C]//International Conference on Learning Representations. Washington DC: ICLR, 2018: 1-12
[15] CHENG M, ZHANG H, HSIEH C J, et al. Query-efficient hard-label black-box attack: An optimization-based approach[C]//International Conference on Learning Representations. Washington DC: ICLR, 2019: 1-12.
[16] Cheng M, Singh S, Chen P, et al. Sign-opt: A query-efficient hard-label adversarial attack[J]. arXiv preprint arXiv:1909.10773, 2019.
[17] CHEN J B, JORDAN M I, WAINWRIGHT M J. Hopskipjumpattack: A query-efficient decision-based attack [C]//2020 IEEE Symposium on Security and Privacy (S&P). Piscataway, NJ: IEEE, 2020: 1277-1294.
[18] LI H C, XU X J, ZHANG X L, et al. Qeba: Query-efficient boundary-based blackbox attack [C]//Proceedings of the IEEE/ CVF Conference on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2020: 1221-1230.
[19] Liu Y, Moosavi-Dezfooli S M, Frossard P. A geometry-inspired decision-based attack[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision. 2019: 4890-4898.
[20] SELVARAJU R R, COGSWELL M, Das A, et al. Grad-cam: Visual explanations from deep networks via gradient-based localization[C] //Proceedings of the IEEE International Conference on Computer Vision. Piscataway, NJ: IEEE, 2017: 618-626.
[21] RUSSAKOVSKY O, DENG J, SU H, et al. Imagenet Large Scale Visual Recognition Challenge[J]. International Journal of Computer Vision, 2015, 115: 211-252.
[22] LeCun Y, Bottou L, Bengio Y, et al. Gradient-based learning applied to document recognition[J]. Proceedings of the IEEE, 1998, 86(11): 2278-2324.
[23] Krizhevsky A, Nair V, Hinton G. Cifar-10 (canadian institute for advanced research)[J]. URL http://www. cs. toronto. edu/kriz/cifar. html, 2010, 5(4): 1.
[24] Krizhevsky A, Hinton G. Learning multiple layers of features from tiny images[J]. 2009.
[25] SIMONYAN K, ZISSERMAN A. Very deep convolutional networks for large-scale image recognition[C]//International Conference on Learning Representations. Washington DC: ICLR, 2015: 1-14.
[26] HE K M, ZHANG X Y, REN S Q, et al. Deep residual learning for image recognition[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2016: 770-778.
[27] SZEGEDY C, VANHOUCKE V, IOFFE S, et al. Rethinking the inception architecture for computer vision[C]//Procee- dings of the IEEE Conference on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2016: 2818-2826.
[28] HOWARD A, SANDLER M, CHU G, et al. Searching for mobilenetv3 [C]//Proceedings of the IEEE/CVF International Conference on Computer Vision. Piscataway, NJ: IEEE, 2019: 1314-1324.
[29] HUANG G, LIU Z, VAN Der MAATEN L, et al. Densely connected convolutional networks[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2017: 4700-4708.
[30] Shukla S N, Sahu A K, Willmott D, et al. Simple and efficient hard label black-box adversarial attacks in low query budget regimes[C]//Proceedings of the 27th ACM SIGKDD conference on knowledge discovery & data mining. 2021: 1461-1469.
[31] Kolesnikov A, Beyer L, Zhai X, et al. Big transfer (bit): General visual representation learning[C]//Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part V 16. Springer International Publishing, 2020: 491-507.
[32] Alexey D. An image is worth 16x16 words: Transformers for image recognition at scale[J]. arXiv preprint arXiv: 2010.11929, 2020.
[33] Cheng M, Le T, Chen P Y, et al. Query-efficient hard-label black-box attack: An optimization-based approach[J]. arXiv preprint arXiv:1807.04457, 2018.

Please choose a citation manager

Content to export