Renyang Liu,Kwok-Yan Lam,Wei Zhou,Sixing Wu,Jun Zhao,Dongting Hu,Mingming Gong

2024-03-30

Abstract:Many attack techniques have been proposed to explore the vulnerability of DNNs and further help to improve their robustness. Despite the significant progress made recently, existing black-box attack methods still suffer from unsatisfactory performance due to the vast number of queries needed to optimize desired perturbations. Besides, the other critical challenge is that adversarial examples built in a noise-adding manner are abnormal and struggle to successfully attack robust models, whose robustness is enhanced by adversarial training against small perturbations. There is no doubt that these two issues mentioned above will significantly increase the risk of exposure and result in a failure to dig deeply into the vulnerability of DNNs. Hence, it is necessary to evaluate DNNs' fragility sufficiently under query-limited settings in a non-additional way. In this paper, we propose the Spatial Transform Black-box Attack (STBA), a novel framework to craft formidable adversarial examples in the query-limited scenario. Specifically, STBA introduces a flow field to the high-frequency part of clean images to generate adversarial examples and adopts the following two processes to enhance their naturalness and significantly improve the query efficiency: a) we apply an estimated flow field to the high-frequency part of clean images to generate adversarial examples instead of introducing external noise to the benign image, and b) we leverage an efficient gradient estimation method based on a batch of samples to optimize such an ideal flow field under query-limited settings. Compared to existing score-based black-box baselines, extensive experiments indicated that STBA could effectively improve the imperceptibility of the adversarial examples and remarkably boost the attack success rate under query-limited settings.

Computer Vision and Pattern Recognition,Image and Video Processing

Yanru Xiao,Cong Wang

DOI: https://doi.org/10.1109/CVPR46437.2021.00197

2021-01-01

Abstract:With the large multimedia content online, deep hashing has become a popular method for efficient image retrieval and storage. However, by inheriting the algorithmic back-end from softmax classification, these techniques are vulnerable to the well-known adversarial examples as well. The massive collection of online images into the database also opens up new attack vectors. Attackers can embed adversarial images into the database and target specific categories to be retrieved by user queries. In this paper, we start from an adversarial standpoint to explore and enhance the capacity of targeted black-box transferability attack for deep hashing. We motivate this work by a series of empirical studies to see the unique challenges in image retrieval. We study the relations between adversarial subspace and black-box transferability via utilizing random noise as a proxy. Then we develop a new attack that is simultaneously adversarial and robust to noise to enhance transferability. Our experimental results demonstrate about 1.2-3x improvements of black-box transferability compared with the state-of-the-art mechanisms.

Yang Bai,Yuyuan Zeng,Yong Jiang,Yisen Wang,Shu-Tao Xia,Weiwei Guo

DOI: https://doi.org/10.48550/arXiv.2009.11508

2020-09-25

Abstract:Deep neural networks (DNNs) have demonstrated excellent performance on various tasks, however they are under the risk of adversarial examples that can be easily generated when the target model is accessible to an attacker (white-box setting). As plenty of machine learning models have been deployed via online services that only provide query outputs from inaccessible models (e.g. Google Cloud Vision API2), black-box adversarial attacks (inaccessible target model) are of critical security concerns in practice rather than white-box ones. However, existing query-based black-box adversarial attacks often require excessive model queries to maintain a high attack success rate. Therefore, in order to improve query efficiency, we explore the distribution of adversarial examples around benign inputs with the help of image structure information characterized by a Neural Process, and propose a Neural Process based black-box adversarial attack (NP-Attack) in this paper. Extensive experiments show that NP-Attack could greatly decrease the query counts under the black-box setting.

Machine Learning

Jie Zhang,Bo Li,Jianghe Xu,Shuang Wu,Shouhong Ding,Lei Zhang,Chao Wu

DOI: https://doi.org/10.1109/CVPR52688.2022.01469

2022-01-01

Abstract:Classic black-box adversarial attacks can take advantage of transferable adversarial examples generated by a similar substitute model to successfully fool the target model. However, these substitute models need to be trained by target models' training data, which is hard to acquire due to privacy or transmission reasons. Recognizing the limited availability of real data for adversarial queries, recent works proposed to train substitute models in a data-free black-box scenario. However, their generative adversarial networks (GANs) based framework suffers from the convergence failure and the model collapse, resulting in low efficiency. In this paper, by rethinking the collaborative relationship between the generator and the substitute model, we design a novel black-box attack framework. The proposed method can efficiently imitate the target model through a small number of queries and achieve high attack success rate. The comprehensive experiments over six datasets demonstrate the effectiveness of our method against the state-of-the-art attacks. Especially, we conduct both label-only and probability-only attacks on the Microsoft Azure online model, and achieve a 100% attack success rate with only 0.46% query budget of the SOTA method [49].

Yali Du,Meng Fang,Jinfeng Yi,Jun Cheng,Dacheng Tao

DOI: https://doi.org/10.1145/3270101.3270106

2018-01-01

Abstract:Recent studies have highlighted that deep neural networks (DNNs) are vulnerable to adversarial attacks, even in a black-box scenario. However, most of the existing black-box attack algorithms need to make a huge amount of queries to perform attacks, which is not practical in the real world. We note one of the main reasons for the massive queries is that the adversarial example is required to be visually similar to the original image, but in many cases, how adversarial examples look like does not matter much. It inspires us to introduce a new attack called input-free attack, under which an adversary can choose an arbitrary image to start with and is allowed to add perceptible perturbations on it. Following this approach, we propose two techniques to significantly reduce the query complexity. First, we initialize an adversarial example with a gray color image on which every pixel has roughly the same importance for the target model. Then we shrink the dimension of the attack space by perturbing a small region and tiling it to cover the input image. To make our algorithm more effective, we stabilize a projected gradient ascent algorithm with momentum, and also propose a heuristic approach for region size selection. Recent studies have highlighted that deep neural networks (DNNs) are vulnerable to adversarial attacks, even in a black-box scenario. However, most of the existing black-box attack algorithms need to make a huge amount of queries to perform attacks, which is not practical in the real world. We note one of the main reasons for the massive queries is that the adversarial example is required to be visually similar to the original image, but in many cases, how adversarial examples look like does not matter much. It inspires us to introduce a new attack called input-free attack, under which an adversary can choose an arbitrary image to start with and is allowed to add perceptible perturbations on it. Following this approach, we propose two techniques to significantly reduce the query complexity. First, we initialize an adversarial example with a gray color image on which every pixel has roughly the same importance for the target model. Then we shrink the dimension of the attack space by perturbing a small region and tiling it to cover the input image. To make our algorithm more effective, we stabilize a projected gradient ascent algorithm with momentum, and also propose a heuristic approach for region size selection. Through extensive experiments, we show that with only 1,701 queries on average, we can perturb a gray image to any target class of ImageNet with a 100% success rate on InceptionV3. Besides, our algorithm has successfully defeated two real-world systems, the Clarifai food detection API and the Baidu Animal Identification API.

Renyang Liu,Wei Zhou,Xin Jin,Song Gao,Yuanyu Wang,Ruxin Wang

DOI: https://doi.org/10.1186/s42400-023-00197-2

2024-04-05

Abstract:In generating adversarial examples, the conventional black-box attack methods rely on sufficient feedback from the to-be-attacked models by repeatedly querying until the attack is successful, which usually results in thousands of trials during an attack. This may be unacceptable in real applications since Machine Learning as a Service Platform (MLaaS) usually only returns the final result (i.e., hard-label) to the client and a system equipped with certain defense mechanisms could easily detect malicious queries. By contrast, a feasible way is a hard-label attack that simulates an attacked action being permitted to conduct a limited number of queries. To implement this idea, in this paper, we bypass the dependency on the to-be-attacked model and benefit from the characteristics of the distributions of adversarial examples to reformulate the attack problem in a distribution transform manner and propose a distribution transform-based attack (DTA). DTA builds a statistical mapping from the benign example to its adversarial counterparts by tackling the conditional likelihood under the hard-label black-box settings. In this way, it is no longer necessary to query the target model frequently. A well-trained DTA model can directly and efficiently generate a batch of adversarial examples for a certain input, which can be used to attack un-seen models based on the assumed transferability. Furthermore, we surprisingly find that the well-trained DTA model is not sensitive to the semantic spaces of the training dataset, meaning that the model yields acceptable attack performance on other datasets. Extensive experiments validate the effectiveness of the proposed idea and the superiority of DTA over the state-of-the-art.

Renyang Liu,Wei Zhou,Sixin Wu,Jun Zhao,Kwok-Yan Lam

2023-12-12

Abstract:Extensive studies have demonstrated that deep neural networks (DNNs) are vulnerable to adversarial attacks, which brings a huge security risk to the further application of DNNs, especially for the AI models developed in the real world. Despite the significant progress that has been made recently, existing attack methods still suffer from the unsatisfactory performance of escaping from being detected by naked human eyes due to the formulation of adversarial example (AE) heavily relying on a noise-adding manner. Such mentioned challenges will significantly increase the risk of exposure and result in an attack to be failed. Therefore, in this paper, we propose the Salient Spatially Transformed Attack (SSTA), a novel framework to craft imperceptible AEs, which enhance the stealthiness of AEs by estimating a smooth spatial transform metric on a most critical area to generate AEs instead of adding external noise to the whole image. Compared to state-of-the-art baselines, extensive experiments indicated that SSTA could effectively improve the imperceptibility of the AEs while maintaining a 100\% attack success rate.

Computer Vision and Pattern Recognition,Image and Video Processing

Chenghao Sun,Yonggang Zhang,Wan Chaoqun,Qizhou Wang,Ya Li,Tongliang Liu,Bo Han,Xinmei Tian

DOI: https://doi.org/10.48550/arXiv.2209.14826

IF: 5.414

2022-09-29

Machine Learning

Abstract:Black-box attacks can generate adversarial examples without accessing the parameters of target model, largely exacerbating the threats of deployed deep neural networks (DNNs). However, previous works state that black-box attacks fail to mislead target models when their training data and outputs are inaccessible. In this work, we argue that black-box attacks can pose practical attacks in this extremely restrictive scenario where only several test samples are available. Specifically, we find that attacking the shallow layers of DNNs trained on a few test samples can generate powerful adversarial examples. As only a few samples are required, we refer to these attacks as lightweight black-box attacks. The main challenge to promoting lightweight attacks is to mitigate the adverse impact caused by the approximation error of shallow layers. As it is hard to mitigate the approximation error with few available samples, we propose Error TransFormer (ETF) for lightweight attacks. Namely, ETF transforms the approximation error in the parameter space into a perturbation in the feature space and alleviates the error by disturbing features. In experiments, lightweight black-box attacks with the proposed ETF achieve surprising results. For example, even if only 1 sample per category available, the attack success rate in lightweight black-box attacks is only about 3% lower than that of the black-box attacks with complete training data.

Chenhao Lin,Sicong Han,Jiongli Zhu,Qian Li,Chao Shen,Youwei Zhang,Xiaohong Guan

DOI: https://doi.org/10.1016/j.ins.2023.04.008

IF: 8.1

2023-01-01

Information Sciences

Abstract:Recent research on adversarial attacks has highlighted the vulnerability of deep neural networks (DNNs) to perturbations. While existing studies generate adversarial perturbations spread across the entire image, these global perturbations may be visible to human eyes, reducing their effectiveness in real-world scenarios. To alleviate this issue, recent works propose to modify a limited number of input pixels to implement adversarial attacks. However, these approaches still have limitations in terms of both imperceptibility and efficiency. This paper proposes a novel plug-in framework called Sensitive Region-Aware Attack (SRA) to generate soft-label black-box adversarial examples using the sensitivity map and evolution strategies. First, a transferable black-box sensitivity map generation approach is proposed for identifying the sensitive regions of input images. To perform SRA with a limited amount of perturbed pixels, a dynamic l(0) and l(infinity) adjustment strategy is introduced. Furthermore, an adaptive evolution strategy is employed to optimize the selection of generated sensitive regions, allowing for the execution of effective and imperceptible attacks. Experimental results demonstrate that our SRA achieves an imperceptible soft-label black-box attack with a 96.43% success rate using less than 20% of the image pixels on ImageNet and a 100% success rate using 30% of the image pixels on CIFAR-10.

Kangyi Ding,Xiaolei Liu,Weina Niu,Teng Hu,Yanping Wang,Xiaosong Zhang

DOI: https://doi.org/10.1016/j.knosys.2021.107102

IF: 8.139

2021-01-01

Knowledge-Based Systems

Abstract:Artificial intelligence systems suffer from black-box adversarial attacks recently. To prevent this kind of attack, a large amount of researches that reveal the nature of this attack has emerged. However, the query count, success rate, and distortion in the existing works cannot fully satisfy the practical purposes. In this paper, we propose a low-query black-box adversarial attack based on transferability by combining the optimization-based method and the transfer-based method. Our approach aims to improve the black-box attack with a lower number of queries, higher success rate, and lower distortion. In addition, we make full use of surrogate models and optimize the objective function to further improve the performance of our algorithm. We verified our method on MNIST (Lecun and Bottou, 1998) [1], CIFAR-10 (Krizhevsky et al., 2009) [2], and ImageNet (Deng et al. 2009) [3], respectively. Experimental results demonstrate that our method can implement a black-box attack with more than 98.5% success rate and achieve specific distortion with less than 5% queries comparing with other state-of-the-art methods. (C) 2021 Elsevier B.V. All rights reserved.

Lingzhuang Meng,Mingwen Shao,Fan Wang,Yuanjian Qiao,Zhaofei Xu

DOI: https://doi.org/10.1109/tr.2024.3369865

IF: 5.883

2024-01-01

IEEE Transactions on Reliability

Abstract:Convolutional neural networks (CNNs) are known to be vulnerable to adversarial examples even in black-box scenarios, posing a significant threat to their reliability and security. Most existing black-box attack methods primarily focus on data-free scenarios, which often require a large number of queries and yield low attack success rates. But in practical applications, it is feasible to collect a small amount of data associated with the target network. In light of this, in this article, we propose an advancing few-shot black-box attack with alternating training scheme using few data and alternating training to improve the efficiency and attack success rate. Specifically, we propose an alternating training approach consisting of two parts, both aimed at optimizing the substitute network, which alternate and reinforce each other, leading to a significant reduction in the query budget required for a successful attack. In addition, we propose an image degradation (ID) module that expands the data volume diversity through ID techniques to mitigate the problem of generator overfitting. Furthermore, we design a model specific adapter to enable the substitute networks to dynamically adjust the parameters for different target networks. Extensive experiments demonstrate the efficacy of our approach in significantly reducing the query budget while achieving higher attack success rates compared to state-of-the-art competitors.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Zongyao Hu,Lixiong Liu,Qingbing Sang,Chongwen Wang

DOI: https://doi.org/10.1016/j.knosys.2024.111655

IF: 8.139

2024-03-22

Knowledge-Based Systems

Abstract:Most currently developed video quality assessment (VQA) algorithms have achieved excellent performance by using deep neural network (DNN). However, DNN is vulnerable to adversarial attacks, as an efficient surrogate for validating the model robustness, and there lack adversarial attack methods against VQA models. To this end, we propose a spatiotemporal attack network to generate adversarial examples for evaluating the robustness of VQA models that contains a spatial subnetwork and a temporal subnetwork. The proposed network, dubbed the Space-Time Quality Attack Network (STQA-Net 1 ), first computes the just noticeable difference (JND) maps of a video sequence as the input of the spatial subnetwork. The spatial subnetwork encodes the computed maps as spatial features and feeds the spatial features to the temporal subnetwork. Then, the spatial features are fused with the output of the temporal subnetwork and the fused features are decoded as attack weight maps. A visual constraint is used to control the visibility of perturbations and guide the generation of perturbation maps by multiplying JND maps with attack weight maps. Finally, the generated perturbation maps are added to the original video to form an adversarial example. Further, we also try to design a two-branch network to generate two opposite examples in a targeted attack scenario. The proposed attack methods against six state-of-the-art VQA algorithms are thoroughly tested on three VQA databases. The experimental results show that the proposed attack methods are very effective for testing the robustness of VQA models.

computer science, artificial intelligence

Zhengzhi Lu,Guoan Yang

DOI: https://doi.org/10.1109/icivc58118.2023.10270265

2023-01-01

Abstract:Adversarial attacks have demonstrated the vulnerability of deep neural networks (DNNs), which raises considerable security concerns. The existing attack methods require either prior knowledge of the victim DNNs and labels or frequent model querying. However, these requirements are usually infeasible or time-consuming, leading to suspicions about whether the attacks can be launched in real-world scenarios. To this end, we propose a universally strict black-box attack, which generates adversarial samples only using unlabeled data. It reduces the reliance on external information such as victim models, training processes, and ground-truth labels. Specifically, we first learn a latent manifold using contrastive learning. Then a novel universally adversarial loss is proposed to obtain adversaries directly in the latent space. It utilizes the dissimilarity between samples to craft perturbations without accessing labels and decision boundaries. Moreover, we propose a cluster selection for negative samples to improve the effectiveness of our attack. By evaluating the universally strict black-box attack against baseline models, we find it reaches an average fooling rate of 57.93%, which is on par with transfer-based black-box attacks. Our method shows the threats of adversarial attacks under more practical conditions and could serve as a new benchmark for assessing the robustness of DNNs.

Chuxuan Tong,Xi Zheng,Jianhua Li,Xingjun Ma,Longxiang Gao,Yong Xiang

DOI: https://doi.org/10.1109/taslp.2023.3304476

2023-01-01

IEEE/ACM Transactions on Audio Speech and Language Processing

Abstract:The susceptibility of Deep Neural Networks (DNNs) to adversarial attacks has raised concerns regarding their practical applications in real-world scenarios. Although the vulnerability of DNNs to adversarial attacks has been extensively studied in the image domain, research in the audio domain, particularly in the black-box setting with Automatic Speech Recognition (ASR) models, remains limited. While various black-box attacks have been proposed for ASR models, such as transfer attacks, hardware attacks, and query-based attacks, this study concentrates on query-based black-box attacks. The article introduces a new gradient estimation technique, Temporal Natural Evolution Strategies (T-NES), to generate adversarial audio samples more efficiently than existing attacks. T-NES leverages the temporal correlation present in audio to speed up gradient estimation based on the probability scores returned by the target model. The empirical results on benchmark datasets, LibriSpeech and TEDLIUM, and two state-of-the-art ASR models, DeepSpeech2 and Wav2Letter, demonstrate that T-NES can generate successful attacks with up to 30% fewer queries than existing attacks within 500 queries. T-NES could provide a robust baseline for evaluating the black-box adversarial vulnerability of ASR systems.

Meixi Zheng,Xuanchen Yan,Zihao Zhu,Hongrui Chen,Baoyuan Wu

DOI: https://doi.org/10.48550/arXiv.2312.16979

2023-12-28

Abstract:Adversarial examples are well-known tools to evaluate the vulnerability of deep neural networks (DNNs). Although lots of adversarial attack algorithms have been developed, it is still challenging in the practical scenario that the model's parameters and architectures are inaccessible to the attacker/evaluator, i.e., black-box adversarial attacks. Due to the practical importance, there has been rapid progress from recent algorithms, reflected by the quick increase in attack success rate and the quick decrease in query numbers to the target model. However, there is a lack of thorough evaluations and comparisons among these algorithms, causing difficulties of tracking the real progress, analyzing advantages and disadvantages of different technical routes, as well as designing future development roadmap of this field. Thus, in this work, we aim at building a comprehensive benchmark of black-box adversarial attacks, called BlackboxBench. It mainly provides: 1) a unified, extensible and modular-based codebase, implementing 25 query-based attack algorithms and 30 transfer-based attack algorithms; 2) comprehensive evaluations: we evaluate the implemented algorithms against several mainstreaming model architectures on 2 widely used datasets (CIFAR-10 and a subset of ImageNet), leading to 14,106 evaluations in total; 3) thorough analysis and new insights, as well analytical tools. The website and source codes of BlackboxBench are available at <a class="link-external link-https" href="https://blackboxbench.github.io/" rel="external noopener nofollow">this https URL</a> and <a class="link-external link-https" href="https://github.com/SCLBD/BlackboxBench/" rel="external noopener nofollow">this https URL</a>, respectively.

Cryptography and Security

Xin Wang,Kai Chen,Xingjun Ma,Zhineng Chen,Jingjing Chen,Yu-Gang Jiang

2024-08-04

Abstract:Deep neural networks (DNNs) are known to be vulnerable to adversarial attacks even under a black-box setting where the adversary can only query the model. Particularly, query-based black-box adversarial attacks estimate adversarial gradients based on the returned probability vectors of the target model for a sequence of queries. During this process, the queries made to the target model are intermediate adversarial examples crafted at the previous attack step, which share high similarities in the pixel space. Motivated by this observation, stateful detection methods have been proposed to detect and reject query-based attacks. While demonstrating promising results, these methods either have been evaded by more advanced attacks or suffer from low efficiency in terms of the number of shots (queries) required to detect different attacks. Arguably, the key challenge here is to assign high similarity scores for any two intermediate adversarial examples perturbed from the same clean image. To address this challenge, we propose a novel Adversarial Contrastive Prompt Tuning (ACPT) method to robustly fine-tune the CLIP image encoder to extract similar embeddings for any two intermediate adversarial queries. With ACPT, we further introduce a detection framework AdvQDet that can detect 7 state-of-the-art query-based attacks with $>99\%$ detection rate within 5 shots. We also show that ACPT is robust to 3 types of adaptive attacks. Code is available at <a class="link-external link-https" href="https://github.com/xinwong/AdvQDet" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition

Chao Li,Tingsong Jiang,Handing Wang,Wen Yao,Donghua Wang

DOI: https://doi.org/10.1109/TPAMI.2024.3461686

2024-09-16

Abstract:Black-box adversarial attacks can be categorized into transfer-based and query-based attacks. The former usually has poor transfer performance due to the mismatch between the architectures of models, while the query-based attacks require massive queries and high dimensional optimization variables. In order to solve the above problems, we propose a novel attack framework integrating the advantages of transfer- and query-based attacks, where the framework is divided into two phases: training the adversarial generator and executing the black-box attacks. In the first stage, a generator is trained by the adversarial loss function so that it can output adversarial perturbation, where the latent variables are designed as the input of the generator to reduce the dimension of the optimization variables. In the second stage, based on the trained generator, we further employ a particle swarm optimization algorithm to optimize the latent variables so that the generator can output the perturbation that can achieve a successful attack. Extensive experiments are performed on the ImageNet dataset, and the results demonstrate that the proposed framework can obtain better attack performance compared with a number of the state-of-the-art black-box adversarial attack methods. In addition, we show the flexibility of the proposed framework by extending the experiment for few-pixel attacks.

Chuan Guo,Jacob R. Gardner,Yurong You,Andrew Gordon Wilson,Kilian Q. Weinberger

DOI: https://doi.org/10.48550/arXiv.1905.07121

IF: 5.414

2019-05-17

Machine Learning

Abstract:We propose an intriguingly simple method for the construction of adversarial images in the black-box setting. In constrast to the white-box scenario, constructing black-box adversarial images has the additional constraint on query budget, and efficient attacks remain an open problem to date. With only the mild assumption of continuous-valued confidence scores, our highly query-efficient algorithm utilizes the following simple iterative principle: we randomly sample a vector from a predefined orthonormal basis and either add or subtract it to the target image. Despite its simplicity, the proposed method can be used for both untargeted and targeted attacks -- resulting in previously unprecedented query efficiency in both settings. We demonstrate the efficacy and efficiency of our algorithm on several real world settings including the Google Cloud Vision API. We argue that our proposed algorithm should serve as a strong baseline for future black-box attacks, in particular because it is extremely fast and its implementation requires less than 20 lines of PyTorch code.

Yandong Li,Lijun Li,Liqiang Wang,Tong Zhang,Boqing Gong

DOI: https://doi.org/10.48550/arXiv.1905.00441

IF: 5.414

2019-05-01

Machine Learning

Abstract:Powerful adversarial attack methods are vital for understanding how to construct robust deep neural networks (DNNs) and for thoroughly testing defense techniques. In this paper, we propose a black-box adversarial attack algorithm that can defeat both vanilla DNNs and those generated by various defense techniques developed recently. Instead of searching for an "optimal" adversarial example for a benign input to a targeted DNN, our algorithm finds a probability density distribution over a small region centered around the input, such that a sample drawn from this distribution is likely an adversarial example, without the need of accessing the DNN's internal layers or weights. Our approach is universal as it can successfully attack different neural networks by a single algorithm. It is also strong; according to the testing against 2 vanilla DNNs and 13 defended ones, it outperforms state-of-the-art black-box or white-box attack methods for most test cases. Additionally, our results reveal that adversarial training remains one of the best defense techniques, and the adversarial examples are not as transferable across defended DNNs as them across vanilla DNNs.

Viet Quoc Vo,Ehsan Abbasnejad,Damith C. Ranasinghe

2024-06-01

Abstract:We study the unique, less-well understood problem of generating sparse adversarial samples simply by observing the score-based replies to model queries. Sparse attacks aim to discover a minimum number-the l0 bounded-perturbations to model inputs to craft adversarial examples and misguide model decisions. But, in contrast to query-based dense attack counterparts against black-box models, constructing sparse adversarial perturbations, even when models serve confidence score information to queries in a score-based setting, is non-trivial. Because, such an attack leads to i) an NP-hard problem; and ii) a non-differentiable search space. We develop the BruSLeAttack-a new, faster (more query-efficient) Bayesian algorithm for the problem. We conduct extensive attack evaluations including an attack demonstration against a Machine Learning as a Service (MLaaS) offering exemplified by Google Cloud Vision and robustness testing of adversarial training regimes and a recent defense against black-box attacks. The proposed attack scales to achieve state-of-the-art attack success rates and query efficiency on standard computer vision tasks such as ImageNet across different model architectures. Our artefacts and DIY attack samples are available on GitHub. Importantly, our work facilitates faster evaluation of model vulnerabilities and raises our vigilance on the safety, security and reliability of deployed systems.

Machine Learning,Cryptography and Security