Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Curvature Dynamic Black-box Attack: revisiting adversarial robustness via dynamic curvature estimation

Peiran Sun

TL;DR

This work introduces Dynamic Curvature Estimation (DCE) to quantify decision boundary curvature in black-box, decision-based attacks and reveals a meaningful link between curvature and adversarial robustness. It then integrates DCE into a curvature-aware attack, Curvature Dynamic Black-box Attack (CDBA), featuring an abort protocol and a step parameter to manage query budgets. Empirical results show robust models exhibit flatter, lower-curvature decision boundaries, and CDBA achieves stronger attack performance under limited queries, outperforming CGBA baselines in targeted scenarios. Ablation studies validate the curvature-dynamics perspective and clarify the roles of normal-vector estimation, trajectory design, and parameter choices in curvature-based attack efficacy.

Abstract

Adversarial attack reveals the vulnerability of deep learning models. It is assumed that high curvature may give rise to rough decision boundary and thus result in less robust models. However, the most commonly used \textit{curvature} is the curvature of loss function, scores or other parameters from within the model as opposed to decision boundary curvature, since the former can be relatively easily formed using second order derivative. In this paper, we propose a new query-efficient method, dynamic curvature estimation (DCE), to estimate the decision boundary curvature in a black-box setting. Our approach is based on CGBA, a black-box adversarial attack. By performing DCE on a wide range of classifiers, we discovered, statistically, a connection between decision boundary curvature and adversarial robustness. We also propose a new attack method, curvature dynamic black-box attack (CDBA) with improved performance using the estimated curvature.

Curvature Dynamic Black-box Attack: revisiting adversarial robustness via dynamic curvature estimation

TL;DR

This work introduces Dynamic Curvature Estimation (DCE) to quantify decision boundary curvature in black-box, decision-based attacks and reveals a meaningful link between curvature and adversarial robustness. It then integrates DCE into a curvature-aware attack, Curvature Dynamic Black-box Attack (CDBA), featuring an abort protocol and a step parameter to manage query budgets. Empirical results show robust models exhibit flatter, lower-curvature decision boundaries, and CDBA achieves stronger attack performance under limited queries, outperforming CGBA baselines in targeted scenarios. Ablation studies validate the curvature-dynamics perspective and clarify the roles of normal-vector estimation, trajectory design, and parameter choices in curvature-based attack efficacy.

Abstract

Adversarial attack reveals the vulnerability of deep learning models. It is assumed that high curvature may give rise to rough decision boundary and thus result in less robust models. However, the most commonly used \textit{curvature} is the curvature of loss function, scores or other parameters from within the model as opposed to decision boundary curvature, since the former can be relatively easily formed using second order derivative. In this paper, we propose a new query-efficient method, dynamic curvature estimation (DCE), to estimate the decision boundary curvature in a black-box setting. Our approach is based on CGBA, a black-box adversarial attack. By performing DCE on a wide range of classifiers, we discovered, statistically, a connection between decision boundary curvature and adversarial robustness. We also propose a new attack method, curvature dynamic black-box attack (CDBA) with improved performance using the estimated curvature.

Paper Structure

This paper contains 26 sections, 14 equations, 3 figures, 7 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Adversarial Attacks
  4. Adversarial robustness
  5. Problem statement
  6. Proposed Methods
  7. Dynamic Curvature Estimation (DCE)
  8. Curvature Dynamic Black-box Attack (CDBA)
  9. Abort protocol
  10. Step parameter
  11. Experiments
  12. Experimental setting
  13. DCE
  14. CDBA
  15. Experimental results
  16. ...and 11 more sections

Figures (3)

  • Figure 1: Curvature dynamic searching process. The decision boundary $\partial \mathcal{O}$ between two iterations is approximated by circles with different curvature. The dashed line indicates the original semicircular path, the red dots are the points $(x,y)$ with minimum $\ell_2$-norm perturbation on the estimated boundary. The solid line is the trajectory of these closest points on the circles, which is the curvature dynamic trajectory.
  • Figure 2: CDBA with abort protocol and step parameter. The gray dashed line indicates the vanilla curvature dynamic trajectory. The blue line is added step parameter $\alpha=0.75$, the dashed part is the interval to abort curvature dynamic search
  • Figure 3: $\|\mathbf{x}_{b_{t+1}}\|_2/|\mathbf{x}_{b_{t}}\|_2$ in first 10 iterations