Boosting Black-Box Adversarial Attacks with Meta Learning
This work addresses a practical limitation in adversarial machine learning for security applications, but it is incremental as it builds on existing black-box attack methods.
The paper tackles the problem of low success rates and high query counts in black-box adversarial attacks on deep neural networks by proposing a hybrid method that uses meta adversarial perturbations as initialization, resulting in improved attack success rates and reduced query numbers in experiments.
Deep neural networks (DNNs) have achieved remarkable success in diverse fields. However, it has been demonstrated that DNNs are very vulnerable to adversarial examples even in black-box settings. A large number of black-box attack methods have been proposed to in the literature. However, those methods usually suffer from low success rates and large query counts, which cannot fully satisfy practical purposes. In this paper, we propose a hybrid attack method which trains meta adversarial perturbations (MAPs) on surrogate models and performs black-box attacks by estimating gradients of the models. Our method uses the meta adversarial perturbation as an initialization and subsequently trains any black-box attack method for several epochs. Furthermore, the MAPs enjoy favorable transferability and universality, in the sense that they can be employed to boost performance of other black-box adversarial attack methods. Extensive experiments demonstrate that our method can not only improve the attack success rates, but also reduces the number of queries compared to other methods.