Power of Diversity: Enhancing Data-Free Black-Box Attack with Domain-Augmented Learning
DOI:
https://doi.org/10.1609/aaai.v39i8.32896Abstract
Substitute training-based data-free black-box attacks pose a significant threat to enterprise-deployed models. These attacks use a generator to synthesize data and query APIs, then train a substitute model to approximate the target model's decision boundary based on the returned results. However, existing attack methods often struggle to produce sufficiently diverse data, particularly for complex target models and extensive target data domains, severely limiting their practical application. To address this gap, we design domain-augmented learning to improve the quality of the synthetic data domain (SDD) generated by the generator from two perspectives. Specifically, (1) To broaden the SDD's coverage, we introduce textual semantic embeddings into the generator for the first time. (2) For enhancing the SDD's discretization, we propose a competitive optimization strategy that forces the generator to self-compete, along with heterogeneity excitation to overcome the constraints of information entropy on diversity. Comprehensive experiments demonstrate that our method is more effective. In non-targeted attacks on the CIFAR-10 and Tiny-ImageNet datasets, our method outperforms the state-of-the-art by 14% and 7% in attack success rate, respectively.
Downloads
Published
2025-04-11
How to Cite
Wei, Y., Tan, J., Xu, G., Ma, Z., Ma, Z., & Xiao, B. (2025). Power of Diversity: Enhancing Data-Free Black-Box Attack with Domain-Augmented Learning. Proceedings of the AAAI Conference on Artificial Intelligence, 39(8), 8304–8312. https://doi.org/10.1609/aaai.v39i8.32896
Issue
Section
AAAI Technical Track on Computer Vision VII
