A comprehensive transplanting of black-box adversarial attacks from multi-class to multi-label models

Adversarial examples generated by perturbing raw data with carefully designed, imperceptible noise have emerged as a primary security threat to artificial intelligence systems. In particular, black-box adversarial attack algorithms, which only rely on model input and output to generate adversarial examples, are easy to implement in real scenarios. However, previous research on black-box attacks has primarily focused on multi-class classification models, with relatively few studies on black-box attack algorithms for multi-label classification models. Multi-label classification models exhibit significant differences from multi-class classification models in terms of structure and output. The former can assign multiple labels to a single sample, with these labels often exhibiting correlations, while the latter classifies a sample as the class with the highest confidence. Therefore, existing multi-class attack algorithms cannot directly attack multi-label classification models. In this paper, we study the transplantation methods of multi-class black-box attack algorithms to multi-label classification models and propose the multi-label versions for eight classic black-box attack algorithms, which include three score-based attacks and five decision-based (label-only) attacks, for the first time. Experimental results indicate that the transplanted black-box attack algorithms demonstrate effective attack performance across various attack types, except for extreme attacks. Especially, most transplanted attack algorithms achieve more than 60% success rate on the ML-GCN model and more than 30% on the ML-LIW model under the hiding all attack type. However, the performance of these transplanted attack algorithms shows variation among different attack types due to the correlations between labels.