Certifiable Black-Box Attacks with Randomized Adversarial Examples: Breaking Defenses with Provable Confidence

Hanbin Hong,Xinyu Zhang,Binghui Wang,Zhongjie Ba,Yuan Hong
2024-09-06
Abstract:Black-box adversarial attacks have demonstrated strong potential to compromise machine learning models by iteratively querying the target model or leveraging transferability from a local surrogate model. Recently, such attacks can be effectively mitigated by state-of-the-art (SOTA) defenses, e.g., detection via the pattern of sequential queries, or injecting noise into the model. To our best knowledge, we take the first step to study a new paradigm of black-box attacks with provable guarantees -- certifiable black-box attacks that can guarantee the attack success probability (ASP) of adversarial examples before querying over the target model. This new black-box attack unveils significant vulnerabilities of machine learning models, compared to traditional empirical black-box attacks, e.g., breaking strong SOTA defenses with provable confidence, constructing a space of (infinite) adversarial examples with high ASP, and the ASP of the generated adversarial examples is theoretically guaranteed without verification/queries over the target model. Specifically, we establish a novel theoretical foundation for ensuring the ASP of the black-box attack with randomized adversarial examples (AEs). Then, we propose several novel techniques to craft the randomized AEs while reducing the perturbation size for better imperceptibility. Finally, we have comprehensively evaluated the certifiable black-box attacks on the CIFAR10/100, ImageNet, and LibriSpeech datasets, while benchmarking with 16 SOTA black-box attacks, against various SOTA defenses in the domains of computer vision and speech recognition. Both theoretical and experimental results have validated the significance of the proposed attack. The code and all the benchmarks are available at \url{<a class="link-external link-https" href="https://github.com/datasec-lab/CertifiedAttack" rel="external noopener nofollow">this https URL</a>}.
Machine Learning,Cryptography and Security
What problem does this paper attempt to address?
The problem that this paper attempts to solve is in black - box attacks, how to design a new type of attack method with provable success probability to overcome the effective defense of existing defense mechanisms against traditional black - box attacks. Specifically, the paper proposes a new paradigm named "Certifiable Black - Box Attack". This attack, by introducing randomized Adversarial Examples (AEs), can theoretically guarantee the Attack Success Probability (ASP) without querying the target model. This method can break through existing advanced defense techniques, such as defense based on query pattern detection and randomized defense by adding noise to the model input. ### Core Contributions of the Paper: 1. **Theoretical Innovation**: - Introduced the first randomized - based black - box attack theory, which can generally guarantee the successful attack probability of adversarial examples generated from different noise distributions (such as Gaussian distribution, Laplace distribution, and Cauchy distribution), achieving the transition from deterministic to probabilistic adversarial attacks. 2. **Framework Design**: - Proposed a new certifiable black - box attack framework, which can efficiently generate an adversarial distribution with provable ASP and high imperceptibility. The framework includes: - **Random Parallel Query Method**: Used to efficiently collect probability query results from any target model, supporting the certifiable attack theory. - **Self - Supervised Localization Method**: And binary search localization method, used to efficiently generate a certifiable adversarial distribution. - **Geometric Translation Method**: Used to reduce the perturbation size while maintaining ASP. - **Diffusion Model Application**: To further denoise the randomized adversarial examples while guaranteeing ASP. 3. **Experimental Verification**: - Comprehensively evaluated the performance of the certifiable attack under different settings on 4 datasets and benchmarked it against 16 state - of - the - art empirical black - box attacks against various defense mechanisms. The experimental results consistently show that the proposed certifiable attack can effectively break through the state - of - the - art defenses, including adversarial detection, random pre - processing and post - processing defenses, and adversarial training defenses. ### Main Advantages of the Paper: - **Strong Attack Ability**: Randomness enables the certifiable attack to effectively bypass detection methods (such as Blacklight) that rely on the similarity of the attacker's query sequence, and provides a provable success probability of attacking with random inputs, enhancing the resistance to randomized defenses. - **Adversarial Space Instead of a Single Sample**: Unlike traditional empirical adversarial attacks, the certifiable attack explores the adversarial input space constructed by the adversarial distribution, which helps to generate a large number (potentially infinite) of high - ASP adversarial examples, revealing more consistent and serious vulnerabilities of the target model. - **No Need for Verification**: Empirical attacks need to verify adversarial examples by iteratively querying the target model, while the certifiable attack generates an adversarial distribution with a guaranteed lower - bound ASP, so that the adversarial examples sampled from this distribution can ensure their effectiveness without additional queries, and these samples are brand - new to the defender, increasing the mitigation difficulty. Through these innovations, the paper provides new research directions and technical means for the field of black - box attacks, especially when facing complex defense mechanisms, showing significant advantages and potential.