Query-efficient decision-based attack via sampling distribution reshaping
作者:
Highlights:
• We propose SDR, a gradient estimation algorithm for decision-based attack in highdimensional space, from a new perspective of view. In SDR, historical samples are fully utilized to reshape the next sampling distribution. The entire attack method is then realized by incorporating SDR into general geometric attack framework.
• We extend our SDR to different ℓp norms for p={2,∞}. Experimental results show that our SDR can outperform homogeneous decision-based methods for decision-based attack in highdimensional space, especially under low query budget.
• We also equip our SDR with prior knowledge, the low-frequency constraint, to enhance its performance. Equipped with this prior knowledge, SDR can reach lower ℓp norms for p={2,∞}.
摘要
•We propose SDR, a gradient estimation algorithm for decision-based attack in highdimensional space, from a new perspective of view. In SDR, historical samples are fully utilized to reshape the next sampling distribution. The entire attack method is then realized by incorporating SDR into general geometric attack framework.•We extend our SDR to different ℓp norms for p={2,∞}. Experimental results show that our SDR can outperform homogeneous decision-based methods for decision-based attack in highdimensional space, especially under low query budget.•We also equip our SDR with prior knowledge, the low-frequency constraint, to enhance its performance. Equipped with this prior knowledge, SDR can reach lower ℓp norms for p={2,∞}.
论文关键词:Adversarial examples,Decision-based attack,Image classification,Normal vector estimation,Distribution reshaping
论文评审过程:Received 30 September 2021, Revised 24 March 2022, Accepted 21 April 2022, Available online 22 April 2022, Version of Record 30 April 2022.
论文官网地址:https://doi.org/10.1016/j.patcog.2022.108728
