This work investigates efficient score-based black-box adversarial attacks with a high Attack Success Rate (ASR) and good generalizability. We design a novel attack method based on a Disentangled Feature space, called DifAttack, which differs significantly from the existing ones operating over the entire feature space. Specifically, DifAttack firstly disentangles an image's latent feature into an adversarial feature and a visual feature, where the former dominates the adversarial capability of an image, while the latter largely determines its visual appearance. We train an autoencoder for the disentanglement by using pairs of clean images and their Adversarial Examples (AEs) generated from available surrogate models via white-box attack methods. Eventually, DifAttack iteratively optimizes the adversarial feature according to the query feedback from the victim model until a successful AE is generated, while keeping the visual feature unaltered. In addition, due to the avoidance of using surrogate models' gradient information when optimizing AEs for black-box models, our proposed DifAttack inherently possesses better attack capability in the open-set scenario, where the training dataset of the victim model is unknown. Extensive experimental results demonstrate that our method achieves significant improvements in ASR and query efficiency simultaneously, especially in the targeted attack and open-set scenarios. The code will be available at https://github.com/csjunjun/DifAttack.git soon.

翻译：本文研究了基于得分的黑盒对抗攻击，旨在实现高攻击成功率（ASR）与良好泛化性。我们设计了一种基于解耦特征空间的新型攻击方法——DifAttack，该方法与现有作用于整个特征空间的攻击方法存在本质差异。具体而言，DifAttack首先将图像的潜在特征解耦为对抗特征与视觉特征：前者主导图像的对抗能力，后者则基本决定其视觉表现。我们利用干净图像及其通过白盒攻击方法从可用替代模型生成的对抗样本（AEs）配对训练自编码器以实现解耦。最终，DifAttack根据受害模型的查询反馈迭代优化对抗特征（同时保持视觉特征不变），直至生成成功的对抗样本。此外，由于在黑盒模型对抗样本优化过程中避免使用替代模型的梯度信息，本方法在受害模型训练数据集未知的开放场景中天然具有更优攻击能力。大量实验结果表明，本方法在攻击成功率和查询效率上均实现显著提升，尤其在目标攻击与开放场景中表现突出。相关代码将发布于https://github.com/csjunjun/DifAttack.git。