Prior Convictions: Black-Box Adversarial Attacks with Bandits and Priors
This addresses the challenge of efficient adversarial attacks for security evaluation, though it is incremental as it builds on existing black-box attack frameworks.
The authors tackled the problem of generating adversarial examples in black-box settings where only loss-oracle access is available, showing that current methods are optimal but can be improved by incorporating gradient priors, resulting in methods that use 2-4 times fewer queries and fail 2-5 times less often.
We study the problem of generating adversarial examples in a black-box setting in which only loss-oracle access to a model is available. We introduce a framework that conceptually unifies much of the existing work on black-box attacks, and we demonstrate that the current state-of-the-art methods are optimal in a natural sense. Despite this optimality, we show how to improve black-box attacks by bringing a new element into the problem: gradient priors. We give a bandit optimization-based algorithm that allows us to seamlessly integrate any such priors, and we explicitly identify and incorporate two examples. The resulting methods use two to four times fewer queries and fail two to five times less often than the current state-of-the-art.