Zeroth-Order Gradient Approximation Based DaST for Black-Box Adversarial Attacks.

In recent years, adversarial attacks have arisen widespread attention in the domain of deep learning. Compared to white-box attacks, black-box attacks can be launched only with output information, which is more realistic under real-world attack conditions. An important means of black-box attacks is to train a substitute model of the target model. Yet, obtaining the training data of target model is difficult. Previous works use GAN to accomplish data-free training of the generator and the substitute model. However, the gradient of generator has no relationship with the target model, which causes the requirement of massive iterations and the limitation of Attack Success Rate (ASR). To address this issue, we propose zeroth-order gradient approximation based Data-free Substitute Training (DaST) for black-box adversarial attacks. It estimates the gradient of target model using forward difference and back propagates the gradient to generator, which improves ASR and training efficiency. Four popular auxiliary white-box attack algorithms are used to compare our method with previous works. Experiment results on MNIST and CIFAR-10 demonstrate higher ASR, less training time and memory of our method. Specifically, on MNIST, our method reaches an ASR of 99.87% consuming only 10 min and 1092.56 MB memory, with the increase of 3.51% ASR, the time reduction of 38 h and the memory decrease of 929.72 MB compared to the state-of-the-art method. Moreover, our method remains effective even when the structure of substitute model differs from that of target model.