Finding Optimal Tangent Points for Reducing Distortions of Hard-label Attacks
This addresses the problem of efficient adversarial attacks in black-box settings for security and robustness testing, representing a novel method for a known bottleneck.
The paper tackles the high query complexity in black-box hard-label adversarial attacks by proposing Tangent Attack, a geometric-based approach that identifies optimal tangent points on the decision boundary to reduce distortion, achieving low-magnitude distortion with a small number of queries on ImageNet and CIFAR-10 datasets.
One major problem in black-box adversarial attacks is the high query complexity in the hard-label attack setting, where only the top-1 predicted label is available. In this paper, we propose a novel geometric-based approach called Tangent Attack (TA), which identifies an optimal tangent point of a virtual hemisphere located on the decision boundary to reduce the distortion of the attack. Assuming the decision boundary is locally flat, we theoretically prove that the minimum $\ell_2$ distortion can be obtained by reaching the decision boundary along the tangent line passing through such tangent point in each iteration. To improve the robustness of our method, we further propose a generalized method which replaces the hemisphere with a semi-ellipsoid to adapt to curved decision boundaries. Our approach is free of pre-training. Extensive experiments conducted on the ImageNet and CIFAR-10 datasets demonstrate that our approach can consume only a small number of queries to achieve the low-magnitude distortion. The implementation source code is released online at https://github.com/machanic/TangentAttack.