Query-efficient decision-based attack via sampling distribution reshaping

With a limited query budget and only the final decision of a target model, how to find adversarial examples with low-magnitude distortion has attracted great attention among researchers. Recent solutions to this issue made use of the estimated normal vector at a boundary data point to search for adversarial examples. However, since the sampling independence between two sampling epochs, they still suffer from a prohibitively high query budget, which will get worse when the dimensionality of the attacked samples get increased. To push for further development, in this paper, we pay attention to a query-efficient method to estimate the normal vector for decision-based attack in high-dimensional space. Specifically, we propose a simple yet effective normal vector estimation framework for high-dimension decision-based attack via Sampling Distribution Reshaping, dubbed SDR. Next, SDR is incorporated into general geometric attack framework. Briefly, SDR leverages all the historically sampled noise to build a guiding vector, which will be used to reshape the next sampling distribution. Besides, we also extend SDR to different ℓ_p norms for p={2,∞} and deploy low-frequency constraint to enhance the performance of SDR. Compared to peer decision-based attacks, SDR can reach the competitive ℓ_p norms for p={2,∞}, according to extensive experimental evaluations against both defended and undefended classifiers. Since the simplicity and effectiveness of SDR, we think that reshaping the sampling distribution deserves further research in future works.