Sparse-RS: a versatile framework for query-efficient sparse black-box adversarial attacks
This addresses the problem of evaluating and improving adversarial robustness for machine learning models, particularly in resource-constrained black-box scenarios, representing a strong incremental advance in attack methodology.
The authors tackled the problem of query-efficient sparse adversarial attacks in black-box settings, proposing Sparse-RS which achieves state-of-the-art success rates and query efficiency across multiple sparse attack models including l0-bounded perturbations, patches, and frames, outperforming even white-box attacks on datasets like MNIST, CIFAR-10, and ImageNet.
We propose a versatile framework based on random search, Sparse-RS, for score-based sparse targeted and untargeted attacks in the black-box setting. Sparse-RS does not rely on substitute models and achieves state-of-the-art success rate and query efficiency for multiple sparse attack models: $l_0$-bounded perturbations, adversarial patches, and adversarial frames. The $l_0$-version of untargeted Sparse-RS outperforms all black-box and even all white-box attacks for different models on MNIST, CIFAR-10, and ImageNet. Moreover, our untargeted Sparse-RS achieves very high success rates even for the challenging settings of $20\times20$ adversarial patches and $2$-pixel wide adversarial frames for $224\times224$ images. Finally, we show that Sparse-RS can be applied to generate targeted universal adversarial patches where it significantly outperforms the existing approaches. The code of our framework is available at https://github.com/fra31/sparse-rs.