Simple and Efficient Hard Label Black-box Adversarial Attacks in Low Query Budget Regimes

We focus on the problem of black-box adversarial attacks, where the aim is to generate adversarial examples for deep learning models solely based on information limited to output label (hard label) to a queried data input. We propose a simple and efficient Bayesian Optimization (BO) based approach for developing black-box adversarial attacks. Issues with BO's performance in high dimensions are avoided by searching for adversarial examples in a structured lowdimensional subspace. We demonstrate the efficacy of our proposed attack method by evaluating both ℓ ∞ and ℓ 2 norm constrained untargeted and targeted hard label black-box attacks on three standard datasets -MNIST, CIFAR-10 and ImageNet. Our proposed approach consistently achieves 2 × to 10× higher attack success rate while requiring 10× to 20× fewer queries compared to the current state of the art black-box adversarial attacks. 1 CCS CONCEPTS • Computing methodologies → Adversarial learning; Neural networks.