Deep Neural Networks (DNNs) are acknowledged as vulnerable to adversarial
attacks, while the existing black-box attacks require extensive queries on the
victim DNN to achieve high success rates. For query-efficiency, surrogate
models of the victim are used to generate transferable Adversarial Examples
(AEs) because of their Gradient Similarity (GS), i.e., surrogates’ attack
gradients are similar to the victim’s ones. However, it is generally neglected
to exploit their similarity on outputs, namely the Prediction Similarity (PS),
to filter out inefficient queries by surrogates without querying the victim. To
jointly utilize and also optimize surrogates’ GS and PS, we develop QueryNet, a
unified attack framework that can significantly reduce queries. QueryNet
creatively attacks by multi-identity surrogates, i.e., crafts several AEs for
one sample by different surrogates, and also uses surrogates to decide on the
most promising AE for the query. After that, the victim’s query feedback is
accumulated to optimize not only surrogates’ parameters but also their
architectures, enhancing both the GS and the PS. Although QueryNet has no
access to pre-trained surrogates’ prior, it reduces queries by averagely about
an order of magnitude compared to alternatives within an acceptable time,
according to our comprehensive experiments: 11 victims (including two
commercial models) on MNIST/CIFAR10/ImageNet, allowing only 8-bit image
queries, and no access to the victim’s training data. The code is available at
https://github.com/Sizhe-Chen/QueryNet.
Dedicated Forum to help removing adware, malware, spyware, ransomware, trojans, viruses and more!
