We propose an intriguingly simple method for the construction of adversarial images in the black-box setting. In constrast to the white-box scenario, constructing black-box adversarial images has the additional constraint on query budget, and efficient attacks remain an open problem to date. With only the mild assumption of continuous-valued confidence scores, our highly query-efficient algorithm utilizes the following simple iterative principle: we randomly sample a vector from a predefined orthonormal basis and either add or subtract it to the target image. Despite its simplicity, the proposed method can be used for both untargeted and targeted attacks -- resulting in previously unprecedented query efficiency in both settings. We demonstrate the efficacy and efficiency of our algorithm on several real world settings including the Google Cloud Vision API. We argue that our proposed algorithm should serve as a strong baseline for future black-box attacks, in particular because it is extremely fast and its implementation requires less than 20 lines of PyTorch code.
翻译:我们提议了一个有趣的简单方法来在黑箱设置中构建对立图像。在对白箱情景保持克制的情况下,构建黑箱对立图像会给查询预算带来额外的限制,高效袭击至今仍然是一个尚未解决的问题。只要假设持续估值信心分数的微小假设,我们的高查询效率算法就使用以下简单迭接原则:我们随机从预先定义或超自然的基础上对矢量进行取样,或者将其增减到目标图像中。尽管该拟议方法很简单,但可用于非目标袭击和定向袭击,从而在两种环境中都产生了前所未有的查询效率。我们展示了我们在若干真实世界环境中的算法的功效和效率,包括谷歌云视觉API。我们主张,我们提议的算法应该作为未来黑盒袭击的坚实基线,特别是因为它非常快速,其实施需要不到20行的PyTorch代码。