ADBA: Approximation Decision Boundary Approach for Black-Box Adversarial Attacks
Authors: Feiyang Wang, Xingquan Zuo, Hai Huang, Gang Chen
AAAI 2025 | Venue PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Comprehensive experiments. We perform comprehensive experiments for decision-based black-box attacks using a variety of image classification models. We select 6 well-known deep models that span a wide range of architectures. We compare our methods with four stateof-the-art decision-based adversarial attack approaches. The results show that our methods can generate adversarial examples with a high attack success rate (i.e., fooling rate) while using a small number of queries. |
| Researcher Affiliation | Academia | Feiyang Wang1,2, Xingquan Zuo1,2*, Hai Huang1,2, Gang Chen3 1School of Computer Science, Beijing University of Posts and Telecommunications, Beijing, China 2Key Laboratory of Trustworthy Distributed Computing and Services, Ministry of Education, Beijing, China 3School of Engineering and Computer Science, Victoria University of Wellington, Wellington, New Zealand EMAIL, EMAIL |
| Pseudocode | Yes | Algorithm 1: Approximate Decision Boundary Approach Input: Model F, the original image x and its label y(x), and maximum perturbation strength ϵ; Output: Optimal direction dbest with approximation decision boundary rbest; Initialization: Initialize current best direction dbest (1, . . . , 1), and set current best perturbation strength rbest 1, block variable s 0 and block index k 0; ... Algorithm 2: Compare Directions Using ADB Input: Model F, original image x and its label y(x), current best direction dbest with approximation decision boundary rbest, two new directions d1, d2, and search tolerance τ; Output: New best direction dbest with approximation decision boundary rbest Initialization: Set ADB rbest, start 0, end rbest |
| Open Source Code | Yes | Code https://github.com/BUPTAIOC/ADBA |
| Open Datasets | Yes | Datasets and target models. We evaluate the performance of ADBA and ADBA-md on the Image Net dataset (Deng et al. 2009). |
| Dataset Splits | Yes | For six pre-trained models, we randomly select 1,000 correctly classified images from the Image Net test set for each model. |
| Hardware Specification | Yes | Our experiments are conducted on a server with an Intel Xeon Gold 6330 CPU, NVIDIA 4090 GPUs using Py Torch 2.3.0, Torchvision 0.18.0 on the Python 3.11.5 platform. |
| Software Dependencies | Yes | Our experiments are conducted on a server with an Intel Xeon Gold 6330 CPU, NVIDIA 4090 GPUs using Py Torch 2.3.0, Torchvision 0.18.0 on the Python 3.11.5 platform. |
| Experiment Setup | Yes | Following cutting-edge research on blackbox adversarial attacks (Chen and Gu 2020; Moon, An, and Song 2019), we adopt the l norm and set the perturbation strength threshold ϵ = 0.05. Meanwhile, the query budget is set to 10000 for each model (Chen and Gu 2020). The parameters in the distribution function ρ(r) = a (| r/rbest+d|)b+c, r [0, rbest] are set to be a = 0.0313, b = 3.066, c = 0.168, and d = 1.134 according to Appendix D. The search tolerance threshold τ = 10-5. |