Contract And Conquer: How to Provably Compute Adversarial Examples for a Black-Box Model?
This addresses the need for provable robustness testing in deep learning, offering a novel guarantee for black-box attacks, though it is incremental in improving existing attack frameworks.
The paper tackles the problem of black-box adversarial attacks lacking guarantees by proposing Contract And Conquer (CAC), a method that provably computes adversarial examples for neural networks, outperforming state-of-the-art methods on ImageNet with vision transformers.
Black-box adversarial attacks are widely used as tools to test the robustness of deep neural networks against malicious perturbations of input data aimed at a specific change in the output of the model. Such methods, although they remain empirically effective, usually do not guarantee that an adversarial example can be found for a particular model. In this paper, we propose Contract And Conquer (CAC), an approach to provably compute adversarial examples for neural networks in a black-box manner. The method is based on knowledge distillation of a black-box model on an expanding distillation dataset and precise contraction of the adversarial example search space. CAC is supported by the transferability guarantee: we prove that the method yields an adversarial example for the black-box model within a fixed number of algorithm iterations. Experimentally, we demonstrate that the proposed approach outperforms existing state-of-the-art black-box attack methods on ImageNet dataset for different target models, including vision transformers.