Adversarial examples represent a serious issue for the application of machine learning models in many sensitive domains. For generating adversarial examples, decision based black-box attacks are one of the most practical techniques as they only require query access to the model. One of the most recently proposed state-of-the-art decision based black-box attacks is Triangle Attack (TA). In this paper, we offer a high-level description of TA and explain potential theoretical limitations. We then propose a new decision based black-box attack, Triangle Attack with Reinforcement Learning (TARL). Our new attack addresses the limits of TA by leveraging reinforcement learning. This creates an attack that can achieve similar, if not better, attack accuracy than TA with half as many queries on state-of-the-art classifiers and defenses across ImageNet and CIFAR-10.
翻译:对抗样本是机器学习模型在许多敏感领域应用中的严重问题。在生成对抗样本时,基于决策的黑盒攻击是最实用的技术之一,因为它们仅需对模型进行查询访问。最近提出的最先进的基于决策的黑盒攻击之一是三角攻击(TA)。本文提供了TA的高层次描述,并解释了其潜在的理论局限性。随后,我们提出了一种新的基于决策的黑盒攻击——基于强化学习的三角攻击(TARL)。我们的新攻击通过利用强化学习解决了TA的局限性,从而创建了一种攻击方法,能够在ImageNet和CIFAR-10数据集上的最先进分类器和防御机制上,以仅需一半查询量的情况下,达到与TA相似甚至更优的攻击成功率。