| Title | On the Design of Black-Box Adversarial Examples by Leveraging Gradient-Free Optimization and Operator Splitting Method |
| Publication Type | Conference Paper |
| Year of Publication | 2019 |
| Authors | Zhao, Pu, Liu, Sijia, Chen, Pin-Yu, Hoang, Nghia, Xu, Kaidi, Kailkhura, Bhavya, Lin, Xue |
| Conference Name | 2019 IEEE/CVF International Conference on Computer Vision (ICCV) |
| Keywords | ADMM solution framework, advanced AI platforms, alternating direction method of multipliers, Bayes methods, Bayesian optimization, Black Box Security, black-box adversarial attack generation methods, black-box adversarial attacks, black-box adversarial examples, black-box attacks, BO-ADMM, competitive attack success rates, Complexity theory, composability, Convex functions, distortion, distortion metrics, Estimation, gradient-free optimization, gradient-free regime, image classification, image retrieval, learning (artificial intelligence), Measurement, Metrics, operator splitting method, optimisation, Optimization, Perturbation methods, pubcrawl, query complexities, resilience, Resiliency, robust machine learning, security of data, zeroth-order optimization, ZO-ADMM |
| Abstract | Robust machine learning is currently one of the most prominent topics which could potentially help shaping a future of advanced AI platforms that not only perform well in average cases but also in worst cases or adverse situations. Despite the long-term vision, however, existing studies on black-box adversarial attacks are still restricted to very specific settings of threat models (e.g., single distortion metric and restrictive assumption on target model's feedback to queries) and/or suffer from prohibitively high query complexity. To push for further advances in this field, we introduce a general framework based on an operator splitting method, the alternating direction method of multipliers (ADMM) to devise efficient, robust black-box attacks that work with various distortion metrics and feedback settings without incurring high query complexity. Due to the black-box nature of the threat model, the proposed ADMM solution framework is integrated with zeroth-order (ZO) optimization and Bayesian optimization (BO), and thus is applicable to the gradient-free regime. This results in two new black-box adversarial attack generation methods, ZO-ADMM and BO-ADMM. Our empirical evaluations on image classification datasets show that our proposed approaches have much lower function query complexities compared to state-of-the-art attack methods, but achieve very competitive attack success rates. |
| DOI | 10.1109/ICCV.2019.00021 |
| Citation Key | zhao_design_2019 |
On the Design of Black-Box Adversarial Examples by Leveraging Gradient-Free Optimization and Operator Splitting Method