Approximate Decision Boundary Approach for Blackbox Adversarial Attacks  Based on Saliency Detection

Abstract

Abstract: Decisionbased blackbox adversarial attacks have become an important research direction in the field of artificial intelligence security. Existing methods primarily approximate the decision boundary through uniform random traversal type search, ignoring the correlation between the semantic structure of the image and the region of interest of the model, and there are problems of blind search direction, insensitive region, and low query efficiency. To this end, this paper proposes a saliencyguided adversarial decision boundary attack (SADBA) method, which is designed for blackbox image classification systems that only provide hardlabel predictions in query budgetconstrained scenarios, and guides the perturbation with saliency mask semanticsto act preferentially on key sensitive regions of the image, thereby reducing redundant queries and improving the efficiency of the attack.Experiments on the ImageNet dataset show that SADBA outperforms the baseline attack methods on several mainstream models, with the number of queries decreasing by 11.5%, 25.3%, 3.6%, 30.4%, and 8.8% respectively on VGG19, InceptionV3, EffcientNetB0, DenseNet161, and ViTB32 respectively, while maintaining or improving the attack success rate, maintaining good robustness and achieving an effective balance between query efficiency and attack stealth.

Key words: decision boundary, saliency detection, blackbox adversarial attack, hard label, adversarial sample

摘要： 基于决策的黑盒对抗攻击已成为人工智能安全领域的重要研究方向，现有方法多通过均匀随机遍历式搜索逼近决策边界，忽视了图像语义结构与模型关注区域之间的关联性，存在搜索方向盲目、区域不敏感、查询效率低下的问题.为此，提出了一种基于显著性检测的近似决策边界攻击(saliencyguided adversarial decision boundary attack, SADBA)方法，该方法适用于查询预算受限场景下仅提供硬标签预测的黑盒图像分类系统，以显著性掩码语义引导扰动优先作用于图像的关键敏感区域，从而减少冗余查询并提高攻击效率.在ImageNet数据集上的实验表明，SADBA在多个主流模型上优于基线的攻击方法，在保持或提升攻击成功率的前提下，查询次数在VGG19,InceptionV3,EffcientNetB0,DenseNet161,ViTB32上分别下降了11.5%,25.3%,3.6%,30.4%,8.8%，同时保持了良好的鲁棒性，实现了查询效率和攻击隐蔽性之间的有效平衡.

关键词: 决策边界, 显著性检测, 黑盒对抗攻击, 硬标签, 对抗样本

CLC Number:

TP391

串立雪, 陈龙, . 基于显著性检测的黑盒对抗攻击近似决策边界方法[J]. 信息安全研究, 2026, 12(4): 340-.

References

［1］Cheng M, Le T, Chen P Y, et al. Queryefficient hardlabel blackbox attack［C］ Proc of Int Conf on Learning Representations (ICLR 2019). New York: OpenReview, 2019: 69［2］Cheng M, Singh S, Chen P H, et al. SignOPT: A queryefficient hardlabel adversarial attack［C］ Proc of Int Conf on Learning Representations (ICLR 2020). New York: OpenReview, 2020: 2630［3］Chen J, Jordan M I, Wainwright M J. HopSkipJump Attack: A queryefficient decisionbased attack［C］ Proc of the 2020 IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 2020: 12771294［4］Guo Chuan, Gardner J, You Yurong, et al. Simple blackbox adversarial attacks［C］ Proc of the 36th Int Conf on Machine Learning. New York: PMLR, 2019: 24842493［5］Andriushchenko M, Croce F, Flammarion N, et al. Square attack: A queryefficient blackbox adversarial attack via random search［C］ Proc of Computer Vision—ECCV 2020: 16th European Conference. Berlin: Springer, 2020: 2328［6］Maho T, Furon T, Le Merrer E. SurFree: A fast surrogatefree blackbox attack［C］ Proc of the 2021 IEEECVF Conf on Computer Vision and Pattern Recognition (CVPR). Piscataway, NJ: IEEE, 2021: 1042510434［7］Chen J, Gu Q. RayS: A ray searching method for hardlabel adversarial attack［C］ Proc of ACM SIGKDD Int Conf on Knowledge Discovery and Data Mining. New York: ACM, 2020: 17391747［8］Liu Y, MoosaviDezfooli S M, Frossard P. A geometryinspired decisionbased attack［C］ Proc of IEEE Int Conf on Computer Vision. Piscataway, NJ: IEEE, 2019: 48904898［9］Shi Y, Han Y, Hu Q, et al. Queryefficient blackbox adversarial attack with customized iteration and sampling［J］. IEEE Trans on Pattern Analysis and Machine Intelligence, 2023: 45(2): 22262245［10］Zhou B, Khosla A, Lapedriza A, et al. Learning deep features for discriminative localization［C］ Proc of 2016 IEEE Conf on Computer Vision and Pattern Recognition (CVPR). Piscataway, NJ: IEEE, 2016: 29212929［11］Selvaraju R R, Cogswell M, Das A, et al. GradCAM: Visual explanations from deep networks via gradientbased localization［J］. International Journal of Computer Vision, 2020: 128(2): 336359［12］Zhao T, Wu X. Pyramid feature attention network for saliency detection［C］ Proc of the 2019 IEEECVF Conf on Computer Vision and Pattern Recognition (CVPR). Piscataway, NJ: IEEE, 2019: 30803089［13］Wang F Y, Zuo X Q, Huang H, et al. ADBA: Approximation decision boundary approach for blackbox adversarial attacks［C］ Proc of the 39th AAAI Conf on Artificial Intelligence (AAAI25). Menlo Park, CA: AAAI, 2025: 76287636［14］Simonyan K, Zisserman A. Very deep convolutional networks for largescale image recognition［C］ Proc of the 3rd Int Conf on Learning Representations(ICLR 2015). New York: OpenReview, 2015［15］He K, Zhang X, Ren S, et al. Deep residual learning for image recognition［C］ Proc of IEEE Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2016: 770778［16］Szegedy C, Vanhoucke V, Ioffe S, et al. Rethinking the inception architecture for computer vision［C］ Proc of IEEE Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2016: 28182826［17］Tan M, Le Q. EfficientNet: Rethinking model scaling for convolutional neural networks［C］ Proc of the 36th Int Conf on Machine Learning. New York: ACM, 2019: 61056114［18］Huang G, Liu Z, Van Der Maaten L, et al. Densely connected convolutional networks［C］ Proc of IEEE Conf on Computer Vision and Pattern Recognition. NJ: IEEE, 2017: 47004708［19］Dosovitskiy A, Beyer L, Kolesnikov A, et al. An image is worth 16×16 words: Transformers for image recognition at scale［C］ Proc of the 9th Int Conf on Learning Representations (ICLR 2021). New York: OpenReview, 2021: 37［20］Brendel W, Rauber J, Bethge M. Decisionbased adversarial attacks: Reliable attacks against blackbox machine learning models［C］ Proc of Int Conf on Learning Representations (ICLR 2018). New York: OpenReview, 2018: 112［21］Dai Z, Liu S, Li Q, et al. Saliency attack: Towards imperceptible blackbox adversarial attack［J］. ACM Trans on Intelligent Systems and Technology, 2023, 14(3): 120

[1]	. Enhanced Malware Sample Generation Scheme Based on Convolution Attention Mechanism [J]. Journal of Information Security Reserach, 2024, 10(5): 431-.
[2]	. Traffic Feature Obfuscation Method Based on Adversarial Samples [J]. Journal of Information Security Reserach, 2024, 10(12): 1137-.
[3]	. Summary of The Security Of Image Adversarial Samples [J]. Journal of Information Security Reserach, 2021, 7(4): 294-309.

Approximate Decision Boundary Approach for Blackbox Adversarial Attacks Based on Saliency Detection

基于显著性检测的黑盒对抗攻击近似决策边界方法

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 3

Recommended Articles

Metrics