Subspace Attack: Exploiting Promising Subspaces for Query-Efficient Black-box Attacks
This work addresses the cost and detectability issues of black-box attacks for machine learning security, representing an incremental improvement over existing methods.
The paper tackles the problem of high query complexity in black-box adversarial attacks by exploiting gradients from reference models to define promising search subspaces, achieving up to 2x and 4x reductions in mean and median query numbers with lower failure rates.
Unlike the white-box counterparts that are widely studied and readily accessible, adversarial examples in black-box settings are generally more Herculean on account of the difficulty of estimating gradients. Many methods achieve the task by issuing numerous queries to target classification systems, which makes the whole procedure costly and suspicious to the systems. In this paper, we aim at reducing the query complexity of black-box attacks in this category. We propose to exploit gradients of a few reference models which arguably span some promising search subspaces. Experimental results show that, in comparison with the state-of-the-arts, our method can gain up to 2x and 4x reductions in the requisite mean and medium numbers of queries with much lower failure rates even if the reference models are trained on a small and inadequate dataset disjoint to the one for training the victim model. Code and models for reproducing our results will be made publicly available.