FE-DaST: Fast and effective data-free substitute training for black-box adversarial attacks

Abstract

Deep learning models have shown their advantages in computer vision, e.g., image classification, whereas they are well-known to be susceptible to imperceptible perturbations of input images which are called adversarial attacks. Recently proposed data-free substitute training (DaST), an adversarial framework based on a multi-branch generator where each branch generated images of the corresponding class to balance synthetic images, trained surrogate models without the requirement of any real image for transfer-based black-box adversarial attacks. However, this multi-branch framework was too redundant to converge quickly and was limited to datasets of a few categories. In this paper, we propose a simpler adversarial framework based on a single-branch generator to train substitute models fast and effectively, named FE-DaST. More specifically, we adopt a single-branch deep convolutional generator with an information entropy loss to stimulate the generation of balanced images, promote the similarity between substitute models and target models, and further enhance the strength of the transfer-based attack. Despite its simplicity, experimental results demonstrate the superiority of our proposed FE-DaST over DaST in terms of computational loads, similarities between surrogate models and target models, and attack success rates of transferable adversarial examples on MNIST and CIFAR-10 datasets. For CIFAR-100 and Tiny-ImageNet datasets where DaST is not available, our FE-DaST also achieves competitive attack success rates compared with pre-trained models which are trained with realistic training images. Furthermore, the attack performance of FE-DaST outperforms other state-of-the-art substitute training methods on the four datasets.