Advancing Few-Shot Black-Box Attack With Alternating Training

• Published in: IEEE transactions on reliability Vol. 73; no. 3; pp. 1544 - 1558
• Main Authors: Meng, Lingzhuang, Shao, Mingwen, Wang, Fan, Qiao, Yuanjian, Xu, Zhaofei
• Format: Journal Article
• Language: English
• Published: IEEE 01.09.2024
• Subjects: Adaptation models; Alternating training; black-box attack; Closed box; Data models; few-shot attack; Generators; model specific adapter (MSA); Optimization; substitute training; Training; Training data
• ISSN: 0018-9529; 1558-1721
• DOI: 10.1109/TR.2024.3369865

Convolutional neural networks (CNNs) are known to be vulnerable to adversarial examples even in black-box scenarios, posing a significant threat to their reliability and security. Most existing black-box attack methods primarily focus on data-free scenarios, which often require a large number of queries and yield low attack success rates. But in practical applications, it is feasible to collect a small amount of data associated with the target network. In light of this, in this article, we propose an advancing few-shot black-box attack with alternating training scheme using few data and alternating training to improve the efficiency and attack success rate. Specifically, we propose an alternating training approach consisting of two parts, both aimed at optimizing the substitute network, which alternate and reinforce each other, leading to a significant reduction in the query budget required for a successful attack. In addition, we propose an image degradation (ID) module that expands the data volume diversity through ID techniques to mitigate the problem of generator overfitting. Furthermore, we design a model specific adapter to enable the substitute networks to dynamically adjust the parameters for different target networks. Extensive experiments demonstrate the efficacy of our approach in significantly reducing the query budget while achieving higher attack success rates compared to state-of-the-art competitors.