Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models

Many machine learning algorithms are vulnerable to almost imperceptible of their inputs. So far it was unclear how much risk adversarial carry for the safety of real-world machine learning applications most methods used to generate such perturbations rely either on model information (gradient-based attacks) or on confidence scores as class probabilities (score-based attacks), neither of which are in most real-world scenarios. In many such cases one currently needs retreat to transfer-based attacks which rely on cumbersome substitute, need access to the training data and can be defended against. Here we the importance of attacks which solely rely on the final model. Such decision-based attacks are (1) applicable to real-world-box models such as autonomous cars, (2) need less knowledge and are to apply than transfer-based attacks and (3) are more robust to simple than gradient- or score-based attacks. Previous attacks in this were limited to simple models or simple datasets. Here we introduce Boundary Attack, a decision-based attack that starts from a large perturbation and then seeks to reduce the perturbation while adversarial. The attack is conceptually simple, requires close to no tuning, does not rely on substitute models and is competitive the best gradient-based attacks in standard computer vision tasks like. We apply the attack on two black-box algorithms from Clarifai. com. Boundary Attack in particular and the class of decision-based attacks in open new avenues to study the robustness of machine learning models and new questions regarding the safety of deployed machine learning systems. implementation of the attack is available as part of Foolbox at: //github. com/bethgelab/foolbox.