Efficient black-box attack with surrogate models and multiple universal adversarial perturbations
Abstract Deep learning models are inherently vulnerable to adversarial examples, particularly in black-box settings where attackers have limited knowledge of the target model. Existing attack algorithms often face challenges in balancing effectiveness and efficiency. Adversarial perturbations genera...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Nature Portfolio
2025-05-01
|
| Series: | Scientific Reports |
| Online Access: | https://doi.org/10.1038/s41598-025-87529-z |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850125871192473600 |
|---|---|
| author | Tao Ma Hong Zhao Ling Tang Mingsheng Xue Jing Liu |
| author_facet | Tao Ma Hong Zhao Ling Tang Mingsheng Xue Jing Liu |
| author_sort | Tao Ma |
| collection | DOAJ |
| description | Abstract Deep learning models are inherently vulnerable to adversarial examples, particularly in black-box settings where attackers have limited knowledge of the target model. Existing attack algorithms often face challenges in balancing effectiveness and efficiency. Adversarial perturbations generated in such settings can be suboptimal and require large query budgets to achieve high success rates. In this paper, we investigate the transferability of Multiple Universal Adversarial Perturbations (MUAPs), showing that they can affect a large portion of samples across different models. Based on this insight, we propose SMPack, a staged black-box adversarial example generation algorithm that integrates surrogate and query schemes. By combining MUAPs with surrogate models, SMPack effectively overcomes the black-box constraints and improves the efficiency of generating adversarial examples. Additionally, we optimize this process using a Genetic Algorithm (GA), allowing for efficient search of the perturbation space while conserving query budget. We evaluated SMPack against eight popular attack algorithms: OnePixel, SimBA, FNS, GA, SFGSM, SPGD, FGSM, and PGD, using four publicly available datasets: MNIST, SVHN, CIFAR-10, and ImageNet. The experiments involved 500 random correctly classified samples for each dataset. Our results show that SMPack outperforms existing black-box attack methods in both attack success rate (ASR) and query efficiency, while maintaining competitive performance with white-box methods. SMPack provides an efficient and effective solution for generating adversarial examples in black-box settings. The integration of MUAPs, surrogate schemes, and genetic optimization addresses the key limitations of existing methods, offering a robust alternative for generating adversarial perturbations with reduced query budget. |
| format | Article |
| id | doaj-art-ff64ccdbcc124571a55aa00669be2927 |
| institution | OA Journals |
| issn | 2045-2322 |
| language | English |
| publishDate | 2025-05-01 |
| publisher | Nature Portfolio |
| record_format | Article |
| series | Scientific Reports |
| spelling | doaj-art-ff64ccdbcc124571a55aa00669be29272025-08-20T02:34:02ZengNature PortfolioScientific Reports2045-23222025-05-0115111910.1038/s41598-025-87529-zEfficient black-box attack with surrogate models and multiple universal adversarial perturbationsTao Ma0Hong Zhao1Ling Tang2Mingsheng Xue3Jing Liu4National University of Defense TechnologyGuangzhou Institute of Technology, Xidian UniversityGuangzhou Institute of Technology, Xidian UniversityGuangzhou Institute of Technology, Xidian UniversityGuangzhou Institute of Technology, Xidian UniversityAbstract Deep learning models are inherently vulnerable to adversarial examples, particularly in black-box settings where attackers have limited knowledge of the target model. Existing attack algorithms often face challenges in balancing effectiveness and efficiency. Adversarial perturbations generated in such settings can be suboptimal and require large query budgets to achieve high success rates. In this paper, we investigate the transferability of Multiple Universal Adversarial Perturbations (MUAPs), showing that they can affect a large portion of samples across different models. Based on this insight, we propose SMPack, a staged black-box adversarial example generation algorithm that integrates surrogate and query schemes. By combining MUAPs with surrogate models, SMPack effectively overcomes the black-box constraints and improves the efficiency of generating adversarial examples. Additionally, we optimize this process using a Genetic Algorithm (GA), allowing for efficient search of the perturbation space while conserving query budget. We evaluated SMPack against eight popular attack algorithms: OnePixel, SimBA, FNS, GA, SFGSM, SPGD, FGSM, and PGD, using four publicly available datasets: MNIST, SVHN, CIFAR-10, and ImageNet. The experiments involved 500 random correctly classified samples for each dataset. Our results show that SMPack outperforms existing black-box attack methods in both attack success rate (ASR) and query efficiency, while maintaining competitive performance with white-box methods. SMPack provides an efficient and effective solution for generating adversarial examples in black-box settings. The integration of MUAPs, surrogate schemes, and genetic optimization addresses the key limitations of existing methods, offering a robust alternative for generating adversarial perturbations with reduced query budget.https://doi.org/10.1038/s41598-025-87529-z |
| spellingShingle | Tao Ma Hong Zhao Ling Tang Mingsheng Xue Jing Liu Efficient black-box attack with surrogate models and multiple universal adversarial perturbations Scientific Reports |
| title | Efficient black-box attack with surrogate models and multiple universal adversarial perturbations |
| title_full | Efficient black-box attack with surrogate models and multiple universal adversarial perturbations |
| title_fullStr | Efficient black-box attack with surrogate models and multiple universal adversarial perturbations |
| title_full_unstemmed | Efficient black-box attack with surrogate models and multiple universal adversarial perturbations |
| title_short | Efficient black-box attack with surrogate models and multiple universal adversarial perturbations |
| title_sort | efficient black box attack with surrogate models and multiple universal adversarial perturbations |
| url | https://doi.org/10.1038/s41598-025-87529-z |
| work_keys_str_mv | AT taoma efficientblackboxattackwithsurrogatemodelsandmultipleuniversaladversarialperturbations AT hongzhao efficientblackboxattackwithsurrogatemodelsandmultipleuniversaladversarialperturbations AT lingtang efficientblackboxattackwithsurrogatemodelsandmultipleuniversaladversarialperturbations AT mingshengxue efficientblackboxattackwithsurrogatemodelsandmultipleuniversaladversarialperturbations AT jingliu efficientblackboxattackwithsurrogatemodelsandmultipleuniversaladversarialperturbations |