TY - GEN
T1 - Boosting Black-Box Adversarial Attacks with Meta Learning
AU - Fu, Junjie
AU - Sun, Jian
AU - Wang, Gang
N1 - Publisher Copyright:
© 2022 Technical Committee on Control Theory, Chinese Association of Automation.
PY - 2022
Y1 - 2022
N2 - Deep neural networks (DNNs) have achieved remarkable success in diverse fields. However, it has been demonstrated that DNNs are very vulnerable to adversarial examples even in black-box settings. A large number of black-box attack methods have been proposed to in the literature. However, those methods usually suffer from low success rates and large query counts, which cannot fully satisfy practical purposes. In this paper, we propose a hybrid attack method which trains meta adversarial perturbations (MAPs) on surrogate models and performs black-box attacks by estimating gradients of the models. Our method uses the meta adversarial perturbation as an initialization and subsequently trains any black-box attack method for several epochs. Furthermore, the MAPs enjoy favorable transferability and universality, in the sense that they can be employed to boost performance of other black-box adversarial attack methods. Extensive experiments demonstrate that our method can not only improve the attack success rates, but also reduces the number of queries compared to other methods.
AB - Deep neural networks (DNNs) have achieved remarkable success in diverse fields. However, it has been demonstrated that DNNs are very vulnerable to adversarial examples even in black-box settings. A large number of black-box attack methods have been proposed to in the literature. However, those methods usually suffer from low success rates and large query counts, which cannot fully satisfy practical purposes. In this paper, we propose a hybrid attack method which trains meta adversarial perturbations (MAPs) on surrogate models and performs black-box attacks by estimating gradients of the models. Our method uses the meta adversarial perturbation as an initialization and subsequently trains any black-box attack method for several epochs. Furthermore, the MAPs enjoy favorable transferability and universality, in the sense that they can be employed to boost performance of other black-box adversarial attack methods. Extensive experiments demonstrate that our method can not only improve the attack success rates, but also reduces the number of queries compared to other methods.
KW - Deep neural networks
KW - adversarial examples
KW - black-box attack
KW - meta adversarial perturbation
KW - transferability
UR - http://www.scopus.com/inward/record.url?scp=85140468807&partnerID=8YFLogxK
U2 - 10.23919/CCC55666.2022.9901576
DO - 10.23919/CCC55666.2022.9901576
M3 - Conference contribution
AN - SCOPUS:85140468807
T3 - Chinese Control Conference, CCC
SP - 7308
EP - 7313
BT - Proceedings of the 41st Chinese Control Conference, CCC 2022
A2 - Li, Zhijun
A2 - Sun, Jian
PB - IEEE Computer Society
T2 - 41st Chinese Control Conference, CCC 2022
Y2 - 25 July 2022 through 27 July 2022
ER -