HAL will be down for maintenance from Friday, June 10 at 4pm through Monday, June 13 at 9am. More information
Skip to Main content Skip to Navigation
Conference papers

SurFree: a fast surrogate-free black-box attack

Thibault Maho 1 Teddy Furon 1 Erwan Le Merrer 2
1 LinkMedia - Creating and exploiting explicit links between multimedia fragments
Inria Rennes – Bretagne Atlantique , IRISA-D6 - MEDIA ET INTERACTIONS
2 WIDE - the World Is Distributed Exploring the tension between scale and coordination
Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
Abstract : Machine learning classifiers are critically prone to evasion attacks. Adversarial examples are slightly modified inputs that are then misclassified, while remaining perceptively close to their originals. Last couple of years have witnessed a striking decrease in the amount of queries a black box attack submits to the target classifier, in order to forge adversarials. This particularly concerns the black-box score-based setup, where the attacker has access to top predicted probabilites: the amount of queries went from to millions of to less than a thousand. This paper presents SurFree, a geometrical approach that achieves a similar drastic reduction in the amount of queries in the hardest setup: black box decision-based attacks (only the top-1 label is available). We first highlight that the most recent attacks in that setup, HSJA, QEBA and GeoDA all perform costly gradient surrogate estimations. SurFree proposes to bypass these, by instead focusing on careful trials along diverse directions, guided by precise indications of geometrical properties of the classifier decision boundaries. We motivate this geometric approach before performing a head-to-head comparison with previous attacks with the amount of queries as a first class citizen. We exhibit a faster distortion decay under low query amounts (few hundreds to a thousand), while remaining competitive at higher query budgets.
Document type :
Conference papers
Complete list of metadata

https://hal.archives-ouvertes.fr/hal-03177639
Contributor : Teddy Furon Connect in order to contact the contributor
Submitted on : Tuesday, March 23, 2021 - 12:18:40 PM
Last modification on : Friday, April 8, 2022 - 4:08:03 PM

Links full text

Identifiers

  • HAL Id : hal-03177639, version 1
  • ARXIV : 2011.12807

Citation

Thibault Maho, Teddy Furon, Erwan Le Merrer. SurFree: a fast surrogate-free black-box attack. CVPR 2021 - Conference on Computer Vision and Pattern Recognition, Jun 2021, Virtual, France. pp.10430--10439. ⟨hal-03177639⟩

Share

Metrics

Record views

121