GeoDA: a Decision-based Adversarial Attack

GeoDA is a black-box attack framework to generate adversarial example for image classifiers. We propose a geometric framework to generate adversarial examples in one of the most challenging black-box settings where the adversary can only generate a small number of queries, each of them returning the top-1 label of the classifier. Our framework is based on the observation that the decision boundary of deep networks usually has a small mean curvature in the vicinity of data samples. GeoDA got accepted to CVPR 2020. You can find the full paper here.

Linearizing the decision boundary

Given a boundary point, the decision boundary at the vicinity of a data point can be locally approximated by a hyperplane passing through the boundary point. The goal is pretty much to estimate the normal vector to the boundary.

A few examples on the performance of the GeoDA for different norms

More examples with magnified perturbations for better visibility

Code

The Pytorch implementation of GeoDA can be found here.