Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SemiAdv: Query-Efficient Black-Box Adversarial Attack with Unlabeled Images

Mingyuan Fan, Yang Liu, Cen Chen, Ximeng Liu

TL;DR

This paper tackles black-box adversarial attacks under realistic constraints by enabling unlabeled-data utilization to drastically reduce query costs. It introduces SemiAdv, a two-stage approach that first trains a substitute model via semi-supervised learning using unlabeled data and a small labeled subset, then conducts a local white-box attack (IPGD) to generate transferable adversarial samples. The method employs consistency regularization, entropy minimization, and mixup to create a robust substitute model with minimal queries, achieving up to a 12x reduction in query budget while maintaining around 90% attack success on benchmark datasets. Across MNIST, Fashion-MNIST, and CIFAR-10, SemiAdv demonstrates strong performance and robustness to network architecture and attack settings, underscoring the need for defense mechanisms against efficient unlabeled-data–driven black-box attacks.

Abstract

Adversarial attack has garnered considerable attention due to its profound implications for the secure deployment of robots in sensitive security scenarios. To potentially push for advances in the field, this paper studies the adversarial attack in the black-box setting and proposes an unlabeled data-driven adversarial attack method, called SemiAdv. Specifically, SemiAdv achieves the following breakthroughs compared with previous works. First, by introducing the semi-supervised learning technique into the adversarial attack, SemiAdv substantially decreases the number of queries required for generating adversarial samples. On average, SemiAdv only needs to query a few hundred times to launch an effective attack with more than 90% success rate. Second, many existing black-box adversarial attacks require massive labeled data to mitigate the difference between the local substitute model and the remote target model for a good attack performance. While SemiAdv relaxes this limitation and is capable of utilizing unlabeled raw data to launch an effective attack. Finally, our experiments show that SemiAdv saves up to 12x query accesses for generating adversarial samples while maintaining a competitive attack success rate compared with state-of-the-art attacks.

SemiAdv: Query-Efficient Black-Box Adversarial Attack with Unlabeled Images

TL;DR

This paper tackles black-box adversarial attacks under realistic constraints by enabling unlabeled-data utilization to drastically reduce query costs. It introduces SemiAdv, a two-stage approach that first trains a substitute model via semi-supervised learning using unlabeled data and a small labeled subset, then conducts a local white-box attack (IPGD) to generate transferable adversarial samples. The method employs consistency regularization, entropy minimization, and mixup to create a robust substitute model with minimal queries, achieving up to a 12x reduction in query budget while maintaining around 90% attack success on benchmark datasets. Across MNIST, Fashion-MNIST, and CIFAR-10, SemiAdv demonstrates strong performance and robustness to network architecture and attack settings, underscoring the need for defense mechanisms against efficient unlabeled-data–driven black-box attacks.

Abstract

Adversarial attack has garnered considerable attention due to its profound implications for the secure deployment of robots in sensitive security scenarios. To potentially push for advances in the field, this paper studies the adversarial attack in the black-box setting and proposes an unlabeled data-driven adversarial attack method, called SemiAdv. Specifically, SemiAdv achieves the following breakthroughs compared with previous works. First, by introducing the semi-supervised learning technique into the adversarial attack, SemiAdv substantially decreases the number of queries required for generating adversarial samples. On average, SemiAdv only needs to query a few hundred times to launch an effective attack with more than 90% success rate. Second, many existing black-box adversarial attacks require massive labeled data to mitigate the difference between the local substitute model and the remote target model for a good attack performance. While SemiAdv relaxes this limitation and is capable of utilizing unlabeled raw data to launch an effective attack. Finally, our experiments show that SemiAdv saves up to 12x query accesses for generating adversarial samples while maintaining a competitive attack success rate compared with state-of-the-art attacks.
Paper Structure (21 sections, 9 equations, 3 figures, 7 tables, 2 algorithms)

This paper contains 21 sections, 9 equations, 3 figures, 7 tables, 2 algorithms.

Table of Contents

  1. Related Work
  2. Adversarial Attack
  3. Semi-Supervised Learning
  4. Problem Formulation
  5. Our Attack
  6. Substitute Model Training
  7. Local Adversarial Attack
  8. Experiment
  9. Experimental Setup
  10. Comparison with State-of-The-Art
  11. SemiAdv vs. ALA & DaST
  12. SemiAdv vs. SignHunter & BO-ADMM
  13. SemiAdv vs. Sign-OPT & Bayes Attack
  14. SemiAdv vs. Target Attack
  15. The Evaluation of SemiAdv in Different Conditions
  16. ...and 6 more sections

Figures (3)

  • Figure 1: The workflow of SemiAdv.
  • Figure 2: Performance of different methods under different query numbers on MNIST, Fashion-MNIST, and CIFIAR-10.
  • Figure 3: Accuracy of different substitute model architectures under query numbers ($\in \{100,200,400,800,1600\}$) in three benchmark datasets MNIST, Fashion-MNIST, and CIFAR-10.

Theorems & Definitions (1)

  • Definition 1