Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

EvolBA: Evolutionary Boundary Attack under Hard-label Black Box condition

Ayane Tajima, Satoshi Ono

TL;DR

This work tackles adversarial vulnerability assessment under hard-label black-box (HL-BB) conditions, where only the top-1 class label is available and gradient information is inaccessible. It introduces EvolBA, an Evolutionary Boundary Attack that hybridizes Sep-CMA-ES with Boundary Attack, and augments it with fractal-based initialization and a fractal jump operator to enhance exploration in ultra-high-dimensional perturbation spaces. The objective minimizes the perturbation while ensuring misclassification, formalized as $f(m{ ilde{x}})=||m{ ilde{x}}-m{x}_{orig}|| + f_p(m{ ilde{x}})$ subject to $ abla ext{C}(m{ ilde{x}}) eq abla ext{C}(m{x}_{orig})$, with a penalty $f_p$ that disfavors non-adversarial offspring. Empirical results on VGG19, ResNet-50, Inception-v3, and ViT show EvolBA often yields smaller perturbations than Boundary Attack and competitive performance against HSJA, with fractal initialization and jump operators providing clear gains in several settings. This work advances gradient-free adversarial testing for commercial models and suggests future refinements in fractal selection and adaptive jumping strategies.

Abstract

Research has shown that deep neural networks (DNNs) have vulnerabilities that can lead to the misrecognition of Adversarial Examples (AEs) with specifically designed perturbations. Various adversarial attack methods have been proposed to detect vulnerabilities under hard-label black box (HL-BB) conditions in the absence of loss gradients and confidence scores.However, these methods fall into local solutions because they search only local regions of the search space. Therefore, this study proposes an adversarial attack method named EvolBA to generate AEs using Covariance Matrix Adaptation Evolution Strategy (CMA-ES) under the HL-BB condition, where only a class label predicted by the target DNN model is available. Inspired by formula-driven supervised learning, the proposed method introduces domain-independent operators for the initialization process and a jump that enhances search exploration. Experimental results confirmed that the proposed method could determine AEs with smaller perturbations than previous methods in images where the previous methods have difficulty.

EvolBA: Evolutionary Boundary Attack under Hard-label Black Box condition

TL;DR

This work tackles adversarial vulnerability assessment under hard-label black-box (HL-BB) conditions, where only the top-1 class label is available and gradient information is inaccessible. It introduces EvolBA, an Evolutionary Boundary Attack that hybridizes Sep-CMA-ES with Boundary Attack, and augments it with fractal-based initialization and a fractal jump operator to enhance exploration in ultra-high-dimensional perturbation spaces. The objective minimizes the perturbation while ensuring misclassification, formalized as subject to , with a penalty that disfavors non-adversarial offspring. Empirical results on VGG19, ResNet-50, Inception-v3, and ViT show EvolBA often yields smaller perturbations than Boundary Attack and competitive performance against HSJA, with fractal initialization and jump operators providing clear gains in several settings. This work advances gradient-free adversarial testing for commercial models and suggests future refinements in fractal selection and adaptive jumping strategies.

Abstract

Research has shown that deep neural networks (DNNs) have vulnerabilities that can lead to the misrecognition of Adversarial Examples (AEs) with specifically designed perturbations. Various adversarial attack methods have been proposed to detect vulnerabilities under hard-label black box (HL-BB) conditions in the absence of loss gradients and confidence scores.However, these methods fall into local solutions because they search only local regions of the search space. Therefore, this study proposes an adversarial attack method named EvolBA to generate AEs using Covariance Matrix Adaptation Evolution Strategy (CMA-ES) under the HL-BB condition, where only a class label predicted by the target DNN model is available. Inspired by formula-driven supervised learning, the proposed method introduces domain-independent operators for the initialization process and a jump that enhances search exploration. Experimental results confirmed that the proposed method could determine AEs with smaller perturbations than previous methods in images where the previous methods have difficulty.
Paper Structure (18 sections, 9 equations, 15 figures, 2 tables, 4 algorithms)

This paper contains 18 sections, 9 equations, 15 figures, 2 tables, 4 algorithms.

Table of Contents

  1. Introduction
  2. Related work
  3. Hard-label black-box adversarial attack
  4. Formula-driven supervised learning
  5. Proposed evolutionary boundary attack method (EvolBA)
  6. Key ideas
  7. Formulation
  8. Variables
  9. Objective function
  10. Algorithm of EvolBA
  11. Initialization using a fractal image
  12. Jump operator
  13. Update a mean vector of Sep-CMA-ES
  14. Preliminary experiments
  15. Evaluation
  16. ...and 3 more sections

Figures (15)

  • Figure 1: Sampling and evaluating offspring
  • Figure 2: Moving on the decision boundary
  • Figure 3: Step-size adaptation
  • Figure 4: Moving towrad the original image
  • Figure 6: Initial solution generation processes.
  • ...and 10 more figures