Efficient Black-box Adversarial Attack With Low Query Cost

With the fast development of deep learning,deep neural network is playing an important role in the fields such as computer vision,natural language processing and voice recognization.However,recent studies have shown that the neural networks without any defensive mechanism were easily affected by small perturbations.For example,the attacker can generate a small perturbation which is hard to be detected by human eye but fools the neural network to classify the adversarial picture to a wrong category with high confidence.For this reason,adversarial examples are harmful in the fields that need security such as self-driven systems.There are two kinds of adversarial attacks.First kind of adversarial attacks is whitebox adversarial attack.It assumes that attackers can get not only outputs of models but also structures and parameters of objective deep models.It is easy for attackers to generate adversarial examples by models' parameters and defeat the white-box models.The other kind of adversarial attacks is black-box adversarial attack.It's more practical and it assumes that attackers can't get the models' parameters.The black-box adversarial attack is more difficult than the white-box adversarial attack but more harmful.We propose a black-box attack method which called Multi-Model Efficient Query Attack(MEQA)to solve the problem that state of the art black-box attack methods need lots of queries to estimate the gradients of black-box models.We think that there exists some relationship between white-box models and the objective black-box model,so MEQA uses the gradients of white-box models to estimate the black-box model's gradient and guide the direction of the optimization during the attack.Whatsmore,we combine the natural evolution strategy and MEQA to finetune the adversarial example.To imporve the success rate of target attack,we define a new target attack loss called CombineLoss and a new target attack method called Target MEQA-NES.In one word,MEQA has good attack perfermance and improves the black-box attack's query efficiency.The main contributions of this papers are as follows:1.We propose the Multi-Model Efficient Query Attack(MEQA)method to imporvethe query efficiency of black-box adversarial attack.MEQA use the white-box mod-els' gradients to estimate the black-box model's gradient instead of estimating withonly mathematical methods.This change helps MEQA greatly imporve the queryefficiency.2.MEQA's effect depends on how related between white-box models and the black-box model.When the relationship is weak,MEQA has a poor attack success rate.So we propose MEQA-NES which combines the white-box models' gradient di-rections and gussian random directions to estimate the real black-box model gradi-ents.Whatsmore,we use an Encoder and Generator to reduce the search dimension.MEQA-NES is both efficient and effective.3.In target adversarial attack field,we propose CombineLoss which combine the un-target adversarial attack loss and the ordinary target adversarial loss.Our workcalled Target MEQA-NES is designed to attack face recognization.It can pretenda common people to a target celebrity.4.We design the MEQA algorithm and make experiments on the classifction task andface recognization task.MEQA has good results on all of the tasks and it provesour assumption that there exists relationship between all deep neural models.