2.1 Decision-Based Adversarial Attacks

Abstract

Results We found that our decision-based adversarial attack is competitive with common gradient-based adversarial attacks in terms of perturbation size in both untargeted and targeted scenarios. We tested our attack on standard computer vision models for MNIST, CIFAR-10, and ImageNet and compared the median minimal 𝐿2 adversarial perturbation size with established gradient-based attacks such as DeepFool (Moosavi-Dezfooli et al. 2016) and the Carlini-Wagner attack (Carlini and Wagner 2017b). Our median perturbation size is always within a factor of two compared to the best attack and often better than at least either DeepFool or Carlini-Wagner.Running our attack against a model trained with defensive distillation (Papernot, McDaniel, Wu, et al. 2016), a defense known to introduce gradient masking rather than truly increasing the robustness (Carlini and Wagner 2016), confirmed our hypothesis that decision-based adversarial attacks can work well when gradient-based attacks fail because of gradient masking.