Abstract Deep Neural Networks (DNNs) are being used in various daily tasks such as object detection, speech processing, and machine translation. However, it is known that DNNs suffer from robustness problems — perturbed inputs called adversarial samples leading to misbehaviors of DNNs. In this paper, we propose a black-box technique called Black-box Momentum Iterative Fast Gradient Sign Method (BMI-FGSM) to test the robustness of DNN models. The technique does not require any knowledge of the structure or weights of the target DNN. Compared to existing white-box testing techniques that require accessing model internal information such as gradients, our technique approximates gradients through Differential Evolution and uses approximated gradients to construct adversarial samples. Experimental results show that our technique can achieve 100% success in generating adversarial samples to trigger misclassification, and over 95% success in generating samples to trigger misclassification to a specific target output label. It also demonstrates better perturbation distance and better transferability. Compared to the state-of-the-art black-box technique, our technique is more efficient. Furthermore, we conduct testing on the commercial Aliyun API and successfully trigger its misbehavior within a limited number of queries, demonstrating the feasibility of real-world black-box attack.

中文翻译：

---

基于差分进化的黑盒对抗样本生成

摘要 深度神经网络 (DNN) 被用于各种日常任务，例如对象检测、语音处理和机器翻译。然而，众所周知，DNN 存在鲁棒性问题——称为对抗样本的扰动输入导致 DNN 的不当行为。在本文中，我们提出了一种称为黑盒动量迭代快速梯度符号方法（BMI-FGSM）的黑盒技术来测试 DNN 模型的鲁棒性。该技术不需要了解目标 DNN 的结构或权重。与需要访问模型内​​部信息（如梯度）的现有白盒测试技术相比，我们的技术通过差分进化来近似梯度，并使用近似梯度来构建对抗样本。实验结果表明，我们的技术在生成对抗样本以触发错误分类方面可以达到 100% 的成功率，在生成样本以触发对特定目标输出标签的错误分类方面的成功率超过 95%。它还展示了更好的扰动距离和更好的可转移性。与最先进的黑盒技术相比，我们的技术更高效。此外，我们对商用阿里云 API 进行了测试，并在有限数量的查询中成功触发了其不当行为，证明了现实世界黑盒攻击的可行性。与最先进的黑盒技术相比，我们的技术更高效。此外，我们对商用阿里云 API 进行了测试，并在有限数量的查询中成功触发了其不当行为，证明了现实世界黑盒攻击的可行性。与最先进的黑盒技术相比，我们的技术更高效。此外，我们对商用阿里云 API 进行了测试，并在有限数量的查询中成功触发了其不当行为，证明了现实世界黑盒攻击的可行性。