To generate image adversarial examples, state-of-the-art black-box attacks usually require thousands of queries. However, massive queries will introduce additional costs and exposure risks in the real world. Towards improving the attack efficiency, we carefully design an acceleration framework SAGE for existing black-box methods, which is composed of sLocator (initial point optimization) and sRudder (search process optimization). The core idea of SAGE in terms of 1) saliency map can guide the perturbations towards the most adversarial direction and 2) exploiting bounding box (bbox) to capture those salient pixels in the black-box attack. Meanwhile, we provide a series of observations and experiments that demonstrate bbox holds model invariance and process invariance. We extensively evaluate SAGE on four state-of-the-art black-box attacks involving three popular datasets (MNIST, CIFAR10, and ImageNet). The results show that SAGE could present fundamental improvements even against robust models that use adversarial training. Specifically, SAGE could reduce >20% of queries and improve the success rate of attacks to 95%~100%. Compared with the other acceleration framework, SAGE fulfills the more significant effect in a flexible, stable, and low-overhead manner. Moreover, our practical evaluation (Google Cloud Vision API) shows SAGE can be applied to real-world scenarios.

中文翻译：

---

SAGE：通过加速引导对抗性示例的生成


为了生成图像对抗示例，最先进的黑盒攻击通常需要数千次查询。然而，大量查询会在现实世界中带来额外的成本和暴露风险。为了提高攻击效率，我们针对现有的黑盒方法精心设计了一个加速框架SAGE，它由sLocator（初始点优化）和sRudder（搜索过程优化）组成。 SAGE 的核心思想是：1）显着图可以将扰动引导至最具对抗性的方向；2）利用边界框（bbox）来捕获黑盒攻击中的显着像素。同时，我们提供了一系列观察和实验来证明 bbox 具有模型不变性和过程不变性。我们在涉及三个流行数据集（MNIST、CIFAR10 和 ImageNet）的四种最先进的黑盒攻击中广泛评估了 SAGE。结果表明，即使针对使用对抗性训练的稳健模型，SAGE 也可以带来根本性的改进。具体来说，SAGE可以减少>20%的查询，并将攻击的成功率提高到95%~100%。与其他加速框架相比，SAGE以灵活、稳定、低开销的方式实现了更显着的效果。此外，我们的实际评估（Google Cloud Vision API）表明SAGE可以应用于现实场景。