Adversarial attacks expose important vulnerabilities of deep learning models, yet little attention has been paid to settings where data arrives as a stream. In this paper, we formalize the online adversarial attack problem, emphasizing two key elements found in real-world use-cases: attackers must operate under partial knowledge of the target model, and the decisions made by the attacker are irrevocable since they operate on a transient data stream. We first rigorously analyze a deterministic variant of the online threat model by drawing parallels to the well-studied $k$-\textit{secretary problem} and propose \algoname, a simple yet practical algorithm yielding a provably better competitive ratio for $k=2$ over the current best single threshold algorithm. We also introduce the \textit{stochastic $k$-secretary} -- effectively reducing online blackbox attacks to a $k$-secretary problem under noise -- and prove theoretical bounds on the competitive ratios of \textit{any} online algorithms adapted to this setting. Finally, we complement our theoretical results by conducting a systematic suite of experiments on MNIST and CIFAR-10 with both vanilla and robust classifiers, revealing that, by leveraging online secretary algorithms, like \algoname, we can get an online attack success rate close to the one achieved by the optimal offline solution.

中文翻译：

---

在线对抗攻击

对抗性攻击暴露了深度学习模型的重要漏洞，但很少关注数据以流形式到达的设置。在本文中，我们对在线对抗攻击问题进行了形式化，强调了在实际用例中发现的两个关键要素：攻击者必须在部分了解目标模型的情况下进行操作，并且攻击者做出的决定是不可撤销的，因为他们对目标模型进行操作瞬时数据流。我们首先通过与研究透彻的$ k $-\ textit {secretary problem}进行比较，来严格分析在线威胁模型的确定性变体，然后提出\ algoname，这是一种简单而实用的算法，可以为$ k =提供可证明更好的竞争比比目前的最佳单一阈值算法高2美元。我们还介绍了\ textit {stochastic $ k $ -secretary}-有效地将在线黑盒攻击减少到噪声下的$ k $ -secretary问题-并证明了适用于\ textit {any}在线算法的竞争比率的理论界限到此设置。最后，我们通过对MNIST和CIFAR-10进行系统化的实验，同时使用原始分类器和鲁棒分类器，对理论结果进行补充，揭示出通过利用\ algoname之类的在线秘书算法，我们可以获得的在线攻击成功率接近通过最佳的离线解决方案实现的目标。