Boundary Attack++: Query-Efficient Decision-Based Adversarial Attack

Deep neural networks have achieved state-of-the-art performance on a variety of tasks. But they have been shown to be vulnerable to adversarial examples, which are maliciously perturbed examples almost identical to original samples in human perception, but cause models to make incorrect decisions [31]. The vulnerability of neural networks to adversarial examples implies a security risk in applications with real-world consequences, such as self-driving cars, robotics, financial services, and criminal justice, and also suggests a difference between humans and existing machine learning systems. The study of adversarial examples is thus necessary to identify the limitation of current machine learning algorithms, provide a metric for robustness, investigate the potential risk, and suggest ways to improve the robustness of models. Considerable effort has gone into the design of new algorithms for the generation of adversarial examples. Adversarial examples can be categorized according to several criteria: the similarity metric, the attack goal, and the threat model.