A Survey on Black-Box Adversarial Attack in Image Analysis
In the domain of image processing,black-box adversarial attacks have emerged as a prominent and hot area of research within the current landscape of adversarial attacks on deep neural networks(DNNs).Distinguished by their exclusive reliance on the input-output mapping of a model,black-box attacks forego internal model parameters and gradient information.By subtly introducing imperceptible perturbations into image data,these attacks induce misalignment in the inference and recognition capabilities of deep neural networks(DNNs),resulting in a deterioration of accuracy in image analysis tasks.Consequently,the robustness issues posed by black-box attacks have become a critical and focal concern in current DNN model research.To enhance the efficacy of black-box attacks in image analysis tasks,current research endeavors focus on optimizing objectives such as achieving low query counts,minimal perturbation amplitude,and high attack success rates.Different attack modes and evaluation methodologies are employed for distinct image analysis tasks.Beginning with mainstream image analysis tasks,including image classification,object detection,and image segmentation,this paper expounds on the core ideas and challenges presented by black-box attack algorithms within each category.The paper systematically summa-rizes key concepts and evaluation metrics in the domain of black-box adversarial attacks.The current evaluation metrics predominantly encompass three critical aspects.Firstly,the attack success rate is measured distinctively for various image analysis tasks.In image classification,the success of an attack implies a discrepancy between the model's output category and the original label category,often quantified through image misclassification rates.Object detection tasks frequently rely on the mean Average Precision(mAP)metric,where lower post-attack mAP values indicate heightened attack effectiveness.In image segmentation tasks,the success of a black-box attack is gauged by differences between generated pixel-wise segmentation images and labeled segmentation images,with certain pixels recognized as other categories.Presently,black-box attacks in segmentation tasks are frequently assessed using the mean Intersection over Union(mIoU)metric,where lower mIoU values signify elevated attack performance.Secondly,considerations encompass query counts and attack time,instrumental in gauging the efficiency of black-box adversarial attacks.Reduced query counts or attack times denote enhanced efficiency in generating adversarial samples.Finally,similarity metrics center on the fundamental task of adversarial attacks which is ensuring model misalignment in inference and recognition while preserving perturbation imperceptibility.Conse-quently,generated adversarial samples need to closely resemble the original samples.This paper introduces current similarity metrics employed in black-box adversarial attacks.Based on the above content,the paper comprehensively analyzes the implementation strategies and research objectives of black-box adversarial attacks in various image analysis tasks.It elucidates the rela-tionships and advantages among various black-box attack algorithms,categorizing them into four distinct types:meta-heuristic-based black-box adversarial attack techniques,proxy-model-based black-box adversarial attack techniques,direct-search-based black-box adversarial attack techniques,and zeroth-order optimization-based black-box adversarial attack techniques.Performance comparisons are systematically conducted across multiple facets,including attack success rates,query counts,and similarity metrics.The paper culminates by highlighting major challenges persisting in the realm of black-box adversarial attacks in image analysis and proposing comprehensive future research directions.
NETL
NSTL
万方数据
