We study the unique, less-well understood problem of generating sparse adversarial samples simply by observing the score-based replies to model queries. Sparse attacks aim to discover a minimum number-the l0 bounded-perturbations to model inputs to craft adversarial examples and misguide model decisions. But, in contrast to query-based dense attack counterparts against black-box models, constructing sparse adversarial perturbations, even when models serve confidence score information to queries in a score-based setting, is non-trivial. Because, such an attack leads to i) an NP-hard problem; and ii) a non-differentiable search space. We develop the BruSLeAttack-a new, faster (more query-efficient) Bayesian algorithm for the problem. We conduct extensive attack evaluations including an attack demonstration against a Machine Learning as a Service (MLaaS) offering exemplified by Google Cloud Vision and robustness testing of adversarial training regimes and a recent defense against black-box attacks. The proposed attack scales to achieve state-of-the-art attack success rates and query efficiency on standard computer vision tasks such as ImageNet across different model architectures. Our artefacts and DIY attack samples are available on GitHub. Importantly, our work facilitates faster evaluation of model vulnerabilities and raises our vigilance on the safety, security and reliability of deployed systems.

翻译：我们研究了一个独特且尚未被充分理解的问题：仅通过观察模型对查询给出的基于分数的回复来生成稀疏对抗样本。稀疏攻击旨在发现最少数量的、即l0范数有界的扰动施加于模型输入，以构造对抗样本并误导模型决策。然而，与针对黑盒模型的基于查询的稠密攻击方法相比，即使在模型以基于分数的设置向查询提供置信度分数信息的情况下，构建稀疏对抗扰动也非易事。这是因为此类攻击会导致：i) 一个NP难问题；以及 ii) 一个不可微的搜索空间。为此，我们开发了BruSLeAttack——一种针对该问题的全新、更快速（查询效率更高）的贝叶斯算法。我们进行了广泛的攻击评估，包括针对以Google Cloud Vision为代表的机器学习即服务（MLaaS）产品的攻击演示，以及对对抗训练方案和一种最新黑盒攻击防御方法的鲁棒性测试。所提出的攻击方法可扩展至标准计算机视觉任务（如ImageNet），并在不同模型架构上实现了最先进的攻击成功率和查询效率。我们的实验成果及可自行操作的攻击示例已在GitHub上开源。重要的是，我们的工作有助于更快速地评估模型脆弱性，并提高人们对已部署系统的安全性、保障性和可靠性的警觉。