Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

BlackboxBench: A Comprehensive Benchmark of Black-box Adversarial Attacks

Meixi Zheng, Xuanchen Yan, Zihao Zhu, Hongrui Chen, Baoyuan Wu

TL;DR

BlackboxBench tackles the fragmentation in black-box adversarial research by providing a unified, modular benchmark that standardizes evaluations across 29 query-based and 30 transfer-based attacks, totaling 14,950 experiments on CIFAR-10 and a ImageNet subset. It introduces a five-module codebase with a central Attack module enabling flexible composition and fair comparisons, plus analytical tools that dissect data, architectures, budgets, and defenses. The study delivers systematic performance insights, highlighting CISA as state-of-the-art for decision-based attacks, MCG for score-based attacks, and SIA (untargeted) and Bayesian Attack (targeted) for transfer-based attacks, while revealing the nuanced roles of data, model architecture, and defense in shaping vulnerability and transferability. The work also provides a public leaderboard and extensive experimental details to facilitate reproducibility and guide future research into robust defenses and more effective black-box attack strategies.

Abstract

Adversarial examples are well-known tools to evaluate the vulnerability of deep neural networks (DNNs). Although lots of adversarial attack algorithms have been developed, it's still challenging in the practical scenario that the model's parameters and architectures are inaccessible to the attacker/evaluator, i.e., black-box adversarial attacks. Due to the practical importance, there has been rapid progress from recent algorithms, reflected by the quick increase in attack success rate and quick decrease in query numbers to the target model. However, there lacks thorough evaluations and comparisons among these algorithms, causing difficulties in tracking the real progress, analyzing advantages and disadvantages of different technical routes, as well as designing future development roadmap of this field. Thus, we aim at building a comprehensive benchmark of black-box adversarial attacks, called BlackboxBench. It mainly provides: 1) a unified, extensible and modular-based codebase, implementing 29 query-based attack algorithms and 30 transfer-based attack algorithms; 2) comprehensive evaluations: we evaluate the implemented algorithms against several mainstreaming model architectures on 2 widely used datasets (CIFAR-10 and a subset of ImageNet), leading to 14,950 evaluations in total; 3) thorough analysis and new insights, as well analytical tools. The website and source codes of BlackboxBench are available at https://blackboxbenchmark.github.io/ and https://github.com/SCLBD/BlackboxBench/, respectively.

BlackboxBench: A Comprehensive Benchmark of Black-box Adversarial Attacks

TL;DR

BlackboxBench tackles the fragmentation in black-box adversarial research by providing a unified, modular benchmark that standardizes evaluations across 29 query-based and 30 transfer-based attacks, totaling 14,950 experiments on CIFAR-10 and a ImageNet subset. It introduces a five-module codebase with a central Attack module enabling flexible composition and fair comparisons, plus analytical tools that dissect data, architectures, budgets, and defenses. The study delivers systematic performance insights, highlighting CISA as state-of-the-art for decision-based attacks, MCG for score-based attacks, and SIA (untargeted) and Bayesian Attack (targeted) for transfer-based attacks, while revealing the nuanced roles of data, model architecture, and defense in shaping vulnerability and transferability. The work also provides a public leaderboard and extensive experimental details to facilitate reproducibility and guide future research into robust defenses and more effective black-box attack strategies.

Abstract

Adversarial examples are well-known tools to evaluate the vulnerability of deep neural networks (DNNs). Although lots of adversarial attack algorithms have been developed, it's still challenging in the practical scenario that the model's parameters and architectures are inaccessible to the attacker/evaluator, i.e., black-box adversarial attacks. Due to the practical importance, there has been rapid progress from recent algorithms, reflected by the quick increase in attack success rate and quick decrease in query numbers to the target model. However, there lacks thorough evaluations and comparisons among these algorithms, causing difficulties in tracking the real progress, analyzing advantages and disadvantages of different technical routes, as well as designing future development roadmap of this field. Thus, we aim at building a comprehensive benchmark of black-box adversarial attacks, called BlackboxBench. It mainly provides: 1) a unified, extensible and modular-based codebase, implementing 29 query-based attack algorithms and 30 transfer-based attack algorithms; 2) comprehensive evaluations: we evaluate the implemented algorithms against several mainstreaming model architectures on 2 widely used datasets (CIFAR-10 and a subset of ImageNet), leading to 14,950 evaluations in total; 3) thorough analysis and new insights, as well analytical tools. The website and source codes of BlackboxBench are available at https://blackboxbenchmark.github.io/ and https://github.com/SCLBD/BlackboxBench/, respectively.
Paper Structure (64 sections, 13 equations, 34 figures, 7 tables, 3 algorithms)

This paper contains 64 sections, 13 equations, 34 figures, 7 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Our Benchmark
  4. Preliminary
  5. Decision-based query attacks
  6. Score-based query attacks
  7. Transfer-based attacks
  8. Codebase
  9. Attack module
  10. Evaluation and Analysis
  11. Experimental Setup
  12. Result Overview
  13. Overview of decision-based attacks
  14. Overview of score-based attacks
  15. Overview for transfer-based attacks
  16. ...and 49 more sections

Figures (34)

  • Figure 1: The general structure of the modular-based codebase of BlackboxBench.
  • Figure 2: Graphical illustrations of score-base attack (left), decision-based attack (middle) and transfer-based attack (right), under the untargeted attack setting.
  • Figure 3: Taxonomy of black-box adversarial attacks, and implemented methods in each category.
  • Figure 4: Unified pipelines of attack modules in decision-based attack methods (top), score-based attack methods (middle), and transfer-based attack methods (bottom).
  • Figure 5: Result overview of query-based attacks. The overviews of various decision-based (top row) and score-based (bottom row) black-box adversarial attacks implemented in BlackboxBench. The first column shows attack performances, measured using ASR and AQN metrics. The second and third columns present performance summaries w.r.t. years and attack categories, respectively. Each color-mark pattern denotes an attack setting.
  • ...and 29 more figures