On the Matrix-Free Generation of Adversarial Perturbations for Black-Box Attacks
This work addresses a practical threat in machine learning security by improving efficiency for attackers, but it is incremental as it builds on existing black-box attack methods.
The paper tackles the problem of generating adversarial perturbations for black-box attacks on deep neural networks, proposing a method that requires fewer query trials and demonstrating its effectiveness by showing it deceives a semantic segmentation network more easily than random noise of the same magnitude.
In general, adversarial perturbations superimposed on inputs are realistic threats for a deep neural network (DNN). In this paper, we propose a practical generation method of such adversarial perturbation to be applied to black-box attacks that demand access to an input-output relationship only. Thus, the attackers generate such perturbation without invoking inner functions and/or accessing the inner states of a DNN. Unlike the earlier studies, the algorithm to generate the perturbation presented in this study requires much fewer query trials. Moreover, to show the effectiveness of the adversarial perturbation extracted, we experiment with a DNN for semantic segmentation. The result shows that the network is easily deceived with the perturbation generated than using uniformly distributed random noise with the same magnitude.