ABSTRACT: Together We Can Fool Them: A Distributed Black-Box Adversarial Attack Based on Multi-Group Particle Swarm Optimization

Current adversarial attack methods in black-box settings mainly: (1) rely on transferability approach which requires a substitute model, hence inefficient; or (2) employ a large number of queries for crafting their adversarial examples, hence very likely to be detected and responded by the target system (e.g., AI service provider) due to its high traffic volume. In this paper, we present a black-box adversarial attack based on Multi-Group Particle Swarm Optimization with Random Redistribution (MGRR-PSO) which yields a very high success rate while maintaining a low number of query by launching the attack in a distributed manner. Attacks are executed from multiple nodes, disseminating queries among the nodes, hence reducing the possibility of being recognized by the target system while also increasing scalability. Furthermore, we propose to efficiently remove excessive perturbation (i.e., perturbation pruning) by utilizing again the MGRR-PSO. Overall, we perform five different experiments: comparing our attack's performance with existing algorithms, testing in high-dimensional space using ImageNet dataset, examining our hyperparameters, and testing on real digital attack to Google Cloud Vision. Our attack proves to obtain a 100% success rate for both untargeted and targeted attack on MNIST and CIFAR-10 datasets and able to successfully fool Google Cloud Vision as a proof of the real digital attack with relatively low queries.