Enhancing Boundary Attack in Adversarial Image Using Square Random Constraint

An adversarial image is a sample with intentional small perturbations that causes deep learning models to classify the image incorrectly. In the image recognition field, adversarial images have become an attractive research topic because they can efficiently attack many state-of-the-art and even commercial models. The challenge now for any deep learning models is how to find out potentially sophisticated adversarial images and prepare proactive prevention against adversarial attacks. Among various existing adversarial attacks, Boundary Attack, proposed in 2018 [5], is one of the state-of-the-art attack methods due to its efficiency, extreme flexibility, simplicity, and high utilization in real-world applications. However, we found a severe drawback existing in the Boundary Attack. First, when randomizing the direction for the next perturbation, it uses a Gaussian distribution over the entire image space to choose the next movement. This causes losing various useful statistic information from the models, such as the high usage of the convolutional layers. Therefore, in this paper, we aim to investigate an enhancement for the Boundary Attack. In the perturbation direction randomization step, we restrict the perturbation direction in a square shape in the geometrical presentation of the image. Compared to the existing randomization strategy, as described in more detail in Section 1.2, our approach can exploit the nature of most image recognition models originating from the convolutional layers that capture the image features in square patterns. We experimented with our proposed method with the well-known CIFAR-10 [23] image dataset on the ResNet-v2 [16] model. Our experimental result showed that the proposed method could successfully reduce the similarity between the adversarial image and the original image by 41.06% with the same number of queries.