Bayesian evolutionary optimization for crafting high-quality adversarial examples with limited query budget

Abstract

Due to the importance of security, the adversarial attack has become an increasingly popular area for deep learning, especially the black-box adversarial attack, which can only obtain the input and output of the target model, resulting in closer to the real world. Query-based methods are a common strategy for performing black-box attacks, and they can find a slight perturbation to make target model misclassify by continuously querying the target model to obtain the output of the target model. However, query-based methods usually suffer from a serious flaw that needs massive queries, which is unaccepted in the real world. Although some query-efficient methods have been proposed to alleviate the above problems, they greatly sacrifice the quality of adversarial examples due to their problem formulations. To generate high-quality adversarial examples with a limited query budget, we propose a Bayesian evolutionary optimization (BEO) based black-box attack method using differential evolution, where a Gaussian processes model is employed to approximate the real objective function. As a key component of the BEO, we use seven acquisition functions to sample the new solution to update the Gaussian processes model, and an information entropy based selection strategy is proposed to adaptively choose the acquisition function. Finally, an effectiveness validation study is carried out comparing the proposed method with five other black-box attack methods and one Bayesian optimization (BO) method using the CIFAR-10 and ImageNet datasets. Experimental results demonstrate that the proposed method can effectively generate adversarial examples using only 200 queries.