Query-Efficient Hard-Label Black-Box Attack against Vision Transformers

Self-attention-based Transformer was first proposed for natural language processing [Vaswani et al. 2017] [Ángel González et al. 2021], which can globally model each element in a sequence and establish connections between all elements. Subsequently, Dosovitskiy et al. [Dosovitskiy et al. 2020] developed vision transformers (ViTs) and applied them to image classification tasks [Li et al. 2021], [Wang et al. 2024] [Beal et al. 2020], [Zheng et al. 2021]. To improve the training efficiency, Touvron et al. [Touvron et al. 2021] proposed an improved ViT called Data efficient Image Transformers (DeiT). DeiT exploits knowledge distillation [Hinton et al. 2015] and data augmentation to improve ViTs when training with less data. To overcome the singulation of tokenization, Yuan et al. [Yuan et al. 2021] proposed a Tokens-To-Token ViT (T2T-ViT), which constructs tokens by aggregating neighboring tokens into one token, i.e., tokens-to-token. Swin Transformers  [Liu et al. 2021], [Liu et al. 2022], [Dong et al. 2022] focused on large-size images and effectively solved their feature extraction problems by dividing images into different levels and introducing a local self-attention module. Additionally, researchers have hybridized ViTs with traditional CNNs  [Xiao et al. 2021], [Wu et al. 2021], [Graham et al. 2021], allowing these models to benefit from both the global feature of ViTs and the local feature of CNNs. To improve the accuracy and robustness of ViT, Shashanket al. [Kotyan and Vargas 2024] proposed an augmentation strategy named ‘Dynamic Scanning Augmentation’ which can input sequences dynamically and focus on different patches adaptively.

The concept of adversarial examples was first proposed by Szegedy et al. [Szegedy et al. 2014]. According to whether the internal parameters and architecture of the model are accessible, the adversarial attacks are mainly divided into white-box attacks and black-box attacks. Thanks to the ease of optimization, lots of works have been proposed in the white-box setting, such as FGSM [Goodfellow et al. 2015], I-FGSM [Kurakin et al. 2018], PGD [Madry et al. 2017], JSMA [Papernot et al. 2016], BPDA [Athalye et al. 2018], C&W attack [Carlini and Wagner 2017], L-BFGS [Szegedy et al. 2014], ANTs [Baluja and Fischer 2017], and DeepFool [Moosavi-Dezfooli et al. 2016]. The white-box attacks can achieve a very high success rate, however, are generally impractical due to the unavailability of the internal structure of the model. Instead, the black-box attacks (including soft-label and hard-label) were widely developed in practice. For the soft-label setting, attackers can obtain the output probabilities of all the categories, such as ZOO attack [Chen et al. 2017], NES attack [Ilyas et al. 2018], AutoZOOM attack [Tu et al. 2019], SimBA attack [Guo et al. 2019], LeBA attack [Yang et al. 2020], Sparse-RS attack [Croce et al. 2022]. Unlike soft-label attacks, hard-label attacks can access only the top-1 prediction class. Hence, the hard-label setting is more secure due to the least information leakage, but is much harder to attack. Brendelet al. [Brendel et al. 2018] proposed the boundary attack, which is the first hard-label attack. Based on the boundary attack, Cheng et al. [Cheng et al. 2019] treated the hard-label attack as an optimization problem and proposed an Opt attack. Cheng et al. [Cheng et al. 2020] designed Sign-OPT attack based on SignSGD algorithm [Liu et al. 2018]. Afterward, Ran et al. [Ran and Wang 2022] proposed the Sign-OPT+ method and further improved the query efficiency of Sign-OPT.

Due to the increasing deployment of ViTs in real-world computer vision tasks, the robustness of the ViTs has attracted great attention. Existing adversarial attacks against ViTs are mostly based on either the white-box setting [Bhojanapalli et al. 2021], [Shao et al. 2022], [Mahmood et al. 2021a] or transfer-based black-box setting [Wei et al. 2022], [Wang et al. 2022]. As we discussed above, the former is impractical, however, the latter consumes an extremely large query budget. Recent studies have revealed that ViTs are more robust to adversarial attacks than CNNs [Bhojanapalli et al. 2021], [Shao et al. 2022], [Mahmood et al. 2021a], [Wei et al. 2022], [Mahmood et al. 2021b]. Soon afterwards, Fu et al. [Fu et al. 2022] demonstrated for the first time that ViTs are not necessarily more robust than CNNs and are highly sensitive to modifications on individual patches. For the hard-label setting, Shi et al. [Shi et al. 2022] proposed a coarse-to-fine method (PAR) for the patch sizes to remove the noise within the patches. However, PAR concentrates the perturbations to a small number of patches, resulting in poor visual effects and low query efficiency.

The ViTs divide the image into a group of non-overlap** patches and encode them into vectors with the same dimension [Dosovitskiy et al. 2020], [Liu et al. 2021], which makes ViTs highly sensitive to the modification of individual patch [Fu et al. 2022]. Therefore, our attack focuses on modifications to the patches. Different from the existing low-frequency attack methods [Guo et al. 2020], [Wang and Wang 2022], [Li et al. 2020] that perform the DCT on the whole image, we first crop the image into a set of $16\times 16\times 3$ non-overlap** patches, and then perform a block DCT on all the patches separately. In doing so, the resultant DCT matrix has a patch attribute. This strategy plays an important role in breaking the semantics of the patch units.

For an input image $x_{0}$, we first crop out $n$ patches $P=[p_{1},...,p_{n}]^{T}\in R^{d\times d\times n}$ ($d$ is the width of a patch). Then, we perform the DCT on the $i^{th}$ patch:

After transformation, $F_{i}(u,v)$ corresponds to the magnitude of wave $\textrm{cos}\frac{(2u+1)v\pi}{2d}$, and lower values of $(u,v)$ present lower frequency. By performing the DCT for all patches of the image, we can get the DCT matrix of the entire image as

The resultant matrix $F$ has a patch attribute, where the main content information is concentrated in the upper-left corner region of each DCT block.

On one hand, most semantic information in natural images is located in the low-frequency part. Therefore, changes in the low-frequency components makes the model misclassify more easily. Based on this fact, our method aims to generate low-frequency perturbations. We extract the low-frequency components of all the patches by multiplying the DCT matrix with a $0/1$ mask matrix. The $0/1$ mask matrix is also divided into different patches, and only $r\times r$ ($1\leq r\leq d$) positions in the upper-left corner of each patch have a value $1$, with the remaining positions being $0$. For a single patch $P_{i}\in R^{d\times d}$ of the image, the corresponding $0/1$ mask value is:

where $r$ is a hyper-parameter that can control the number of low-frequency components of each patch to be attacked. Hence, we get the dimension reduction ratio:

After obtaining the DCT matrix $F$ and the weight mask matrix $M$ of the original image, we adopt the Sign-OPT [Cheng et al. 2020] to conduct adversarial attacks. However, unlike directly attacking in the pixel domain, our attack is performed in the DCT domain, and the frequency of being attacked is limited to a lower range, yielding a dimension reduction attack. Moreover, we design a weight mask matrix to control the proportion of patch perturbation. Finally, the inverse DCT (IDCT) can obtain the final adversarial example. The specific process can be divided into three steps.

Step 1: We generate a perturbation vector $\theta$ in the DCT domain randomly and then multiply it with the weight mask matrix $M$ to obtain a low-frequency perturbation vector:

where $\odot$ is the Hadamard product operation. Then, we calculate the shortest distance $g(\theta^{\prime})$ required for obtaining an adversarial example in the direction $\frac{\theta^{\prime}}{\parallel\theta^{\prime}\parallel}$. We select the $\theta^{\prime}$ which has the minimum $g(\theta^{\prime})$ as the best initial perturbation vector on the DCT domain, and $g(\theta^{\prime})$ as the initial distance $\lambda$, from a set of $\theta$. The calculation of a reasonable initial $\theta^{\prime}$ is as follows:

where

and $\lambda$ is computed through a binary search algorithm.

Step 2: When the initial $\theta^{\prime}$ and the corresponding distance $g(\theta^{\prime})$ are obtained, we need to determine further the update direction $\hat{\theta}$ of $\theta^{\prime}$, and $\hat{\theta}$ needs to meet the condition that current adversarial example in the new direction $\theta^{\prime}-\eta\hat{\theta}$ satisfies $g(\theta^{\prime}-\eta\hat{\theta})<g(\theta^{\prime})$, where $\eta$ is a step size factor. We use a sign gradient estimate method to calculate $\hat{\theta}$:

where $\mu_{j}$ is an randomly sampled Gaussian noise, and $J$ represents the number of random samples. $\textrm{sign}(\cdot)$ is the sign function which can be written as:

where $x^{\prime}=\textrm{IDCT}(F+g(\theta^{\prime})\frac{\theta^{\prime}+\epsilon\mu_{j}\odot M}{\parallel\theta^{\prime}+\epsilon\mu_{j}\odot M\parallel})$.

Step 3: We can get the optimized $\theta^{\prime}$ and $g(\theta^{\prime})$ by repeating Step 2, within the maximum allowed number of model queries. The final adversarial example $\hat{x}$ can be obtained through the IDCT operation:

Algorithm 1 describes the detailed attack process in the low-frequency DCT domain and generates the final adversarial examples. Through the above process, we can clearly observe that the adversarial examples generated by our method are built patch-wise with low-frequency perturbation on each patch. Therefore, our attack actualizes query efficiency against the ViTs that process images in a patch-wise manner. Algorithm 2 shows the overall procedure of our proposed AdvViT which takes the Sign-OPT attack [Cheng et al. 2020] as its baseline. Note that our method can be easily integrated with other baselines to achieve effective attacks on ViTs. For example, in this article, we also utilize the Sign-OPT+ attack [Ran and Wang 2022], which has shown a performance improvement compared to the Sign-OPT attack, as a baseline to conceive a new attack method named AdvViT+.

We evaluate our algorithm on the validation set of ImageNet-1K [Deng et al. 2009]. For fair comparison, eight classification models are used for testing, including ResNet-50 [He et al. 2016], VGG-16 [Simonyan and Zisserman 2014], Deit models [Touvron et al. 2021] (including Deit-T, Deit-S, Deit-B), and Swin Transformers [Liu et al. 2021] (including Swin-T, Swin-S, Swin-B). Our AdvViT and AdvViT+ are compared with six leading hard-label black-box attack methods, which are Opt attack [Cheng et al. 2019], Sign-OPT attack and SurFree attack [Maho et al. 2021], Sign-OPT+ attack [Ran and Wang 2022], Sign-OPT DCT attack and the PAR attack [Shi et al. 2022]. The Sign-OPT DCT attack is another version of the Sign-OPT attack, and it only changes the attack domain from the pixel domain to the DCT domain. The AdvViT+ attack is the method we proposed using the Sign-OPT+ as the baseline. For convenience, we use abbreviations in the following tables and figures as Sign: Sign-OPT attack, SD: Sign-OPT DCT attack, Sign+: Sign-OPT+ attack, AD: AdvViT attack, AD+: AdvViT+ attack.

For fair comparison, we randomly select 100 original images from the validation set, and generate adversarial examples for each image. Four important metrics are selected to evaluate the black-box adversarial attacks, namely $L_{2}$ loss (including average loss and median loss), success rate, PSNR, and SSIM. The success rate is the percentage of images that can obtain adversarial examples with distortion below the given threshold $\epsilon$ within the maximum number of model queries. In this paper, we empirically set $\epsilon$ to $5.0$.

On one hand, the dimension reduction ratio $\rho$ controls the percentage of low-frequency components of each patch to be attacked. A too-small $\rho$ will result in a failure attack. We test $14$ values of $\rho$ by taking $r$ within $[1,14]$ with a unit interval, and then calculate the $L_{2}$ loss and success rate. Figure 2 shows the results of AdvViT+ with different $\rho$ values on the Deit-T model. It can be seen from Figure 2 (a) that the attack cannot successfully get adversarial examples for every original image when the $\rho$ is set to too small, such as $1/16$ and $2/16$. Nevertheless, Figure 2 (b-c) shows that a smaller $\rho$ will result in a higher success rate and a lower $L_{2}$ loss. Therefore, to ensure that all original images can be transformed into adversarial examples, we take $\rho$ as small as possible, i.e. $\rho=3/16$.

Based on the best value $\rho=3/16$, we test the performance of AdvViT+ with different patch sizes on the Deit-T model, including $8\times 8$, $16\times 16$, $20\times 20$. The results indicate that AdvViT+ with patch size $16\times 16$ achieves the best attack effects, and the smallest average and median adversarial losses. Taking it a step forward, we can conclude that the optimal attack effect is attained when the patch size of the attack units exactly matches that of the data unit within ViT. That is $16\times 16$.

On the other hand, the hyper-parameter $\alpha$ is used to avoid the situation where the normalized variance values are too small, which can lead to a failure in finding initial noise. However, an excessive $\alpha$ also leads to performance degradation. We take seven values for $\alpha$, which are within $[2,14]$ with two unit intervals. For each value, we simultaneously record the results of AdvViT and AdvViT+ on the Deit-T model and the dimension reduction ratio $\rho=3/16$. All the results are plotted as curves in Figure 3. Figure 3 (a) and (b) show the $L_{2}$ loss curves of AdvViT and AdvViT+, respectively, and Figure 3 (c) gives the success rate curves on the given threshold $\epsilon=5.0$. It can be seen from Figure 3 that when the value of $\alpha$ is $4$, both the average $L_{2}$ loss and median $L_{2}$ loss of the two proposed methods are relatively lower, while the success rates are highest. Based on this observation, we take a value of $\alpha=4$.

Table 2 shows the adversarial losses of different attack methods on the validation set of ImageNet-1K, regarding both average $L_{2}$ loss and median $L_{2}$ loss separately. Table 2 reveals that our method does not outperform the CNN-based ones like ResNet50 and VGG16. In these cases, the average loss is not as good as the Sign-OPT+ attack (on ResNet50) and Sign-OPT attack (on VGG16), and the median loss is higher than the Sign-OPT attack. Instead, our attack demonstrates excellent performance in targeting ViT models. Firstly, the average losses of the adversarial examples generated by our method, AdvViT+, are significantly lower than the state-of-the-art methods on all the ViT models. For the median losses, the AdvViT+ attack performs better on the Deit-S, Deit-T, Deit-B, and Swin-T models. Secondly, our AdvViT and AdvViT+ methods achieve significant improvements compared to their baselines Sign-OPT attack and Sign-OPT+ attack, respectively. Compared with the Sign-OPT DCT attack, which also performs attacks in the DCT domain, AdvViT achieves a much better attack effect. This study provides further validation of the effectiveness of the proposed attack strategy, emphasizing that targeting the low-frequency components of each patch unit enhances attack efficiency. The performance of the AdvViT attack is not the best due to the constraint on the baseline. Promisingly, our attack strategy can be easily combined with the existing attack methods to achieve a better performance, such as our AdvViT+, which takes the Sign-OPT+ attack as the baseline. In terms of the attack success rate, Table 3 provides the results of the corresponding attacks in Table 2. The results show that our AdvViT+ method achieves the highest attack success rate on all ViT models except for Swin-S. Furthermore, the success rates of the proposed methods, AdvViT and AdvViT+, show significant improvements over their corresponding baselines for the tested ViT models.

In terms of the robustness comparison between CNNs and ViTs, it is not difficult to discover the following facts from Tables 2 and 3: i) When tested with the attack methods specifically designed for CNN-based models, such as OPT, SurFree, SD, Sign-OPT, and Sign-OPT+ attacks, ResNet50, and VGG16, our method exhibits inferior robustness compared to ViT models. These CNN models demonstrate lower average and median losses, as well as higher attack success rates. ii) When testing on our AdvViT+, the robustness of CNN-based models exhibits different results. For instance, the attack success rate of ResNet50 is lower than that of Deit-T, Deit-S, Deit-B, and Swin-T, while the attack success rate of VGG16 is also lower than that of Deit-T. This pattern also holds for the adversarial losses. iii) After incorporating our attack strategies, the proposed AdvViT and AdvViT+ methods show significant performance improvements in attacking the ViT-based models compared to their respective baseline Sign-OPT and Sign-OPT+ attacks. However, when applying these strategies to CNN-based models, the opposite scenario is observed.

Based on the above observations, we can draw a clear conclusion: ViTs are not always more robust than CNNs in hard-label black-box scenarios. The earlier viewpoint of ViTs being more robust than CNNs in some studies might be attributed to the fact that the evaluation methods they used were originally designed for CNNs. We found that these methods did not fully consider the unique characteristics of ViTs, namely their sensitivity to modifications at the patch unit level. In contrast, our work considers this specific characteristic, leading to a more accurate assessment of the robustness of ViTs compared to the methodology built on CNNs.

The visual effect is used to measure the degree to which perturbations in adversarial examples can be detected by the human eye. To show the advantage of the proposed method on the visual effect, we conduct a performance comparison from the quantitative and qualitative perspectives.

From a quantitative perspective, we employ two renowned metrics, PSNR and SSIM, to gauge the similarity of the original images and adversarial examples. Larger values of these metrics indicate higher similarity, suggesting that the adversarial examples are less likely to be discerned by the human eye. Table 4 compares the median PSNR and SSIM values. AdvViT+ attains the highest SSIM values across all tested classification models except for VGG-16, where it is surpassed by the Sign-OPT attack. Additionally, median PSNR results are generally higher in most ViT cases. Consequently, our attack demonstrates superior visual performance in targeting ViT models.

From a qualitative perspective, Figure 4 shows the adversarial examples generated by six different methods on three original images against the Deit-T model. We can easily observe from Figure 4 that our methods have better visual effects. It is because the perturbations of our method are concentrated in the high-frequency regions where the gradient change is usually larger than that of the smooth regions, and the changes in these areas are not easily noticed by human eyes. However, the perturbations in the adversarial examples of PAR can be easily observed, which results from concentrating the perturbations to a few patches.

To clarify the effectiveness and contribution of our innovative design, we conduct two ablation experiments: A) Attacking all the components of the DCT domain without dimension reduction; B) Using the patch-wise DCT to attack only the low-frequency components without the weight mask matrix. As shown in Table 5, compared with A and B, our method achieves significant performance improvements in terms of ASR, SSIM, and PSNR. Note that the superiority of our AdvViT+ over B in all three metrics provides solid evidence for the effectiveness of the weight mask matrix.