In Section B, we give the implementation details of our algorithm and experiments. Besides introducing theflow-based model architecture, wepresent adetailed explanation of classifier architectures and defense mechanisms used to evaluate our method. In Section C, we present an extended version of our simulation results. Otherwise, this means that our NF is simply a data-independent affine transformation. The functionss1,2()andt1,2()are called the scaling and translation functions.

First, we thank all the reviewers for their invaluable assessment of our paper in this challenging time. To provide more reliable evidence that AdvFlow's distributional For the sake of completeness, we also add LID [31] The results are given in Table 1. This is indicating that the attacker's distributional properties are fooling the detectors. As seen, we get similar results to Table 2 of the paper, outperforming SimBA in defended baselines. Note that some of the current SOT A results in black-box adversarial attacks come from the attacker's knowledge about the However, once the target changes its training procedure (e.g., from vanilla See the official repo. of SimBA, where it clearly is indicated that the The results of Table 1 and 2 (as well as SVHN) will be added to the camera-ready version.

Deep learning classifiers are susceptible to well-crafted, imperceptible variations of their inputs, known as adversarial attacks.

In this regard, the design of stronger adversarial attacks plays a crucial role in understanding the nature of possible real-world threats.

Deep learning classifiers are susceptible to well-crafted, imperceptible variations of their inputs, known as adversarial attacks. In this paper, we introduce AdvFlow: a novel black-box adversarial attack method on image classifiers that exploits the power of normalizing flows to model the density of adversarial examples around a given target image. We see that the proposed method generates adversaries that closely follow the clean data distribution, a property which makes their detection less likely. Also, our experimental results show competitive performance of the proposed approach with some of the existing attack methods on defended classifiers.

Deep learning classifiers are susceptible to well-crafted, imperceptible variations of their inputs, known as adversarial attacks. In this regard, the study of powerful attack models sheds light on the sources of vulnerability in these classifiers, hopefully leading to more robust ones. In this paper, we introduce AdvFlow: a novel black-box adversarial attack method on image classifiers that exploits the power of normalizing flows to model the density of adversarial examples around a given target image. We see that the proposed method generates adversaries that closely follow the clean data distribution, a property which makes their detection less likely. Also, our experimental results show competitive performance of the proposed approach with some of the existing attack methods on defended classifiers. The code is available at https://github.com/hmdolatabadi/AdvFlow.