Yinpeng Dong,Hang Su,Baoyuan Wu,Zhifeng Li,Wei Liu,Tong Zhang,Jun Zhu

DOI: https://doi.org/10.1109/cvpr.2019.00790

2019-06-01

Abstract:Face recognition has obtained remarkable progress in recent years due to the great improvement of deep convolutional neural networks (CNNs). However, deep CNNs are vulnerable to adversarial examples, which can cause fateful consequences in real-world face recognition applications with security-sensitive purposes. Adversarial attacks are widely studied as they can identify the vulnerability of the models before they are deployed. In this paper, we evaluate the robustness of state-of-the-art face recognition models in the decision-based black-box attack setting, where the attackers have no access to the model parameters and gradients, but can only acquire hard-label predictions by sending queries to the target model. This attack setting is more practical in real-world face recognition systems. To improve the efficiency of previous methods, we propose an evolutionary attack algorithm, which can model the local geometry of the search directions and reduce the dimension of the search space. Extensive experiments demonstrate the effectiveness of the proposed method that induces a minimum perturbation to an input face image with fewer queries. We also apply the proposed method to attack a real-world face recognition system successfully.

Zheng Yuan,Jie Zhang,Zhaoyan Jiang,Liangliang Li,Shiguang Shan

2024-02-27

Abstract:In recent years, the security of deep learning models achieves more and more attentions with the rapid development of neural networks, which are vulnerable to adversarial examples. Almost all existing gradient-based attack methods use the sign function in the generation to meet the requirement of perturbation budget on $L_\infty$ norm. However, we find that the sign function may be improper for generating adversarial examples since it modifies the exact gradient direction. Instead of using the sign function, we propose to directly utilize the exact gradient direction with a scaling factor for generating adversarial perturbations, which improves the attack success rates of adversarial examples even with fewer perturbations. At the same time, we also theoretically prove that this method can achieve better black-box transferability. Moreover, considering that the best scaling factor varies across different images, we propose an adaptive scaling factor generator to seek an appropriate scaling factor for each image, which avoids the computational cost for manually searching the scaling factor. Our method can be integrated with almost all existing gradient-based attack methods to further improve their attack success rates. Extensive experiments on the CIFAR10 and ImageNet datasets show that our method exhibits higher transferability and outperforms the state-of-the-art methods.

Computer Vision and Pattern Recognition

Heng Yin,Jindong Wang,Yan Mi,Xiaoning Zhang

DOI: https://doi.org/10.1109/icmcce51767.2020.00272

2020-12-01

Abstract:While the neural network plays a significant role in image recognition, it's vulnerable to the adversarial examples, which is a potential threat to the deep learning systems. However, the adversarial examples can also be used to validate the effectiveness of the networks. And the transferability of the adversarial examples needed to be improved. Learning rate decay is a trick that is often used in the model training, and we apply this method into the generation of the adversarial examples. The Step Size Decay Iterative Fast Gradient Sign Method and Step Size Decay Momentum Iterative Fast Gradient Sign Method are proposed in this paper, which lead to better convergence and improve the attack performance of the adversarial examples on black-box models. Extensive experiments on ImageNet have validated the effectiveness of our methods.

Shenyi Zhang,Baolin Zheng,Peipei Jiang,Lingchen Zhao,Chao Shen,Qian Wang

DOI: https://doi.org/10.1109/tifs.2024.3359441

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Adversarial examples (AEs) pose significant threats to deep neural networks (DNNs), as they can deceive models into making wrong predictions through craftily-designed perturbations. The emergence of decision-based attacks, which rely solely on the top-1 decision label, further increases risks for real-world black-box models. Currently, the prevailing practice for generating AEs in the decision-based setting involves penalizing adversarial perturbations with the $\ell _{p}$ -norm. However, this approach often overlooks the human perception of adversarial perturbations in real-world scenarios. To tackle this issue, we propose a novel and efficient Imperceptible Decision-based Black-box Attack (IDBA). Our method prioritizes optimizing the perception-related distribution of perturbations, rather than solely focusing on the $\ell _{p}$ -norm. Specifically, IDBA analyzes the perceptual preferences of both models and the human vision system, selectively perturbing components that influence model decisions yet remain imperceptible to human eyes. Extensive experiments demonstrate that IDBA outperforms the state-of-the-art methods in terms of invisibility and query efficiency. Notably, IDBA achieves a high Feature SIMilarity (FSIM) score of 0.92 with only 4,800 queries, while simultaneously reducing the Learned Perceptual Image Patch Similarity (LPIPS) to 0.12, showcasing its ability to remain imperceptible.

computer science, theory & methods,engineering, electrical & electronic

Qi-An Fu,Yinpeng Dong,Hang Su,Jun Zhu,Chao Zhang

2022-01-01

Abstract:Adversarial attacks can fool deep learning models by imposing imperceptible perturbations onto natural examples, which have provoked concerns in various security-sensitive applications. Among them, decision-based black-box attacks are practical yet more challenging, where the adversary can only acquire the final classification labels by querying the target model without access to the model's details. Under this setting, existing works usually rely on heuristics and exhibit unsatisfactory performance in terms of query efficiency and attack success rate. To better understand the rationality of these heuristics and further improve over existing methods, we propose AutoDA to automatically discover decision-based iterative adversarial attack algorithms. In our approach, we construct a generic search space of attack algorithms and develop an efficient search algorithm to explore this space. Although we adopt a small and fast model to efficiently evaluate and discover qualified attack algorithms during the search, extensive experiments demonstrate that the discovered algorithms are simple yet query-efficient when attacking larger models on the CIFAR-10 and ImageNet datasets. They achieve comparable performance with the human-designed state-of-the-art decision-based iterative attack methods consistently.

Su Zheng,Jialin Chen,Lingli Wang

DOI: https://doi.org/10.1109/ijcnn.2019.8852078

2019-01-01

Abstract:Deep neural networks (DNNs) are widely applied to image classification tasks. Due to the fact that these models are usually vulnerable, subtle perturbations of pixels may lead to classification errors, which poses a serious threat to the success of DNN applications. Moreover, perturbations of pixels can also corrupt other pattern recognition models such as Naive Bayes (NB), Decision Tree (DT) and Random Forest (RF). In this paper, a general method is proposed to carry out targeted black-box attacks for image classification models. The proposed method can achieve targeted fool rates (TFRs) of 0.873 and 0.781 on CIFAR-10 dataset with and without the access to the training set of the target model respectively. For cross-model attacks, the proposed method can still achieve a TFR of 0.630 on CIFAR-10. Furthermore, the proposed method is able to mount attacks for up to 100 classes on CIFAR-100 dataset with a TFR of 0.721, successfully handling 99 cases for each class. In our experiments, the proposed method shows higher performance and higher reliability than other black-box attack methods, with 0.123 greater maximum TFR and 0.602 greater minimum TFR than previous methods UPSET and ANGRI on CIFAR-10 in attacks trained on a single model.

Yang Bai,Yuyuan Zeng,Yong Jiang,Yisen Wang,Shu-Tao Xia,Weiwei Guo

DOI: https://doi.org/10.48550/arXiv.2009.11508

2020-09-25

Abstract:Deep neural networks (DNNs) have demonstrated excellent performance on various tasks, however they are under the risk of adversarial examples that can be easily generated when the target model is accessible to an attacker (white-box setting). As plenty of machine learning models have been deployed via online services that only provide query outputs from inaccessible models (e.g. Google Cloud Vision API2), black-box adversarial attacks (inaccessible target model) are of critical security concerns in practice rather than white-box ones. However, existing query-based black-box adversarial attacks often require excessive model queries to maintain a high attack success rate. Therefore, in order to improve query efficiency, we explore the distribution of adversarial examples around benign inputs with the help of image structure information characterized by a Neural Process, and propose a Neural Process based black-box adversarial attack (NP-Attack) in this paper. Extensive experiments show that NP-Attack could greatly decrease the query counts under the black-box setting.

Machine Learning

Meng Shen,Changyue Li,Hao Yu,Qi Li,Liehuang Zhu,Ke Xu

DOI: https://doi.org/10.1109/tdsc.2023.3289298

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Decision-based adversarial attacks pose a severe threat to real-world applications of Deep Neural Networks (DNNs), as attackers are assumed to have no prior knowledge about target model except hard labels of model outputs. Existing decision-based attacks require a large number of queries on the target model for a successful attack. In this paper, we propose DEAL, a decision-based query efficient adversarial attack based on adaptive boundary learning. DEAL relies on a local model named boundary learner, which is initialized through meta-learning mechanism to obtain the ability to adapt the decision boundaries to a new model. We conduct extensive experiments to evaluate the effectiveness of DEAL, which demonstrates that it outperforms 8 state-of-the-art attacks. Specifically for the evaluation on CIFAR-10 dataset, DEAL can achieve similar attack success rates with a maximum reduction in average number of queries of 51% in untargeted attacks and 14% in targeted attacks, respectively.

Han Liu,Xingshuo Huang,Xiaotong Zhang,Qimai Li,Fenglong Ma,Wei Wang,Hongyang Chen,Hong Yu,Xianchao Zhang

2023-10-29

Abstract:Decision-based methods have shown to be effective in black-box adversarial attacks, as they can obtain satisfactory performance and only require to access the final model prediction. Gradient estimation is a critical step in black-box adversarial attacks, as it will directly affect the query efficiency. Recent works have attempted to utilize gradient priors to facilitate score-based methods to obtain better results. However, these gradient priors still suffer from the edge gradient discrepancy issue and the successive iteration gradient direction issue, thus are difficult to simply extend to decision-based methods. In this paper, we propose a novel Decision-based Black-box Attack framework with Gradient Priors (DBA-GP), which seamlessly integrates the data-dependent gradient prior and time-dependent prior into the gradient estimation procedure. First, by leveraging the joint bilateral filter to deal with each random perturbation, DBA-GP can guarantee that the generated perturbations in edge locations are hardly smoothed, i.e., alleviating the edge gradient discrepancy, thus remaining the characteristics of the original image as much as possible. Second, by utilizing a new gradient updating strategy to automatically adjust the successive iteration gradient direction, DBA-GP can accelerate the convergence speed, thus improving the query efficiency. Extensive experiments have demonstrated that the proposed method outperforms other strong baselines significantly.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Feiyang Wang,Xingquan Zuo,Hai Huang,Gang Chen

2024-06-12

Abstract:Many machine learning models are susceptible to adversarial attacks, with decision-based black-box attacks representing the most critical threat in real-world applications. These attacks are extremely stealthy, generating adversarial examples using hard labels obtained from the target machine learning model. This is typically realized by optimizing perturbation directions, guided by decision boundaries identified through query-intensive exact search, significantly limiting the attack success rate. This paper introduces a novel approach using the Approximation Decision Boundary (ADB) to efficiently and accurately compare perturbation directions without precisely determining decision boundaries. The effectiveness of our ADB approach (ADBA) hinges on promptly identifying suitable ADB, ensuring reliable differentiation of all perturbation directions. For this purpose, we analyze the probability distribution of decision boundaries, confirming that using the distribution's median value as ADB can effectively distinguish different perturbation directions, giving rise to the development of the ADBA-md algorithm. ADBA-md only requires four queries on average to differentiate any pair of perturbation directions, which is highly query-efficient. Extensive experiments on six well-known image classifiers clearly demonstrate the superiority of ADBA and ADBA-md over multiple state-of-the-art black-box attacks. The source code is available at <a class="link-external link-https" href="https://github.com/BUPTAIOC/ADBA" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Artificial Intelligence,Computer Vision and Pattern Recognition

Geunhyeok Yu,Minwoo Jeon,Hyoseok Hwang

2023-08-14

Abstract:The susceptibility of deep neural networks (DNNs) to adversarial examples has prompted an increase in the deployment of adversarial attacks. Image-agnostic universal adversarial perturbations (UAPs) are much more threatening, but many limitations exist to implementing UAPs in real-world scenarios where only binary decisions are returned. In this research, we propose Decision-BADGE, a novel method to craft universal adversarial perturbations for executing decision-based black-box attacks. To optimize perturbation with decisions, we addressed two challenges, namely the magnitude and the direction of the gradient. First, we use batch loss, differences from distributions of ground truth, and accumulating decisions in batches to determine the magnitude of the gradient. This magnitude is applied in the direction of the revised simultaneous perturbation stochastic approximation (SPSA) to update the perturbation. This simple yet efficient method can be easily extended to score-based attacks as well as targeted attacks. Experimental validation across multiple victim models demonstrates that the Decision-BADGE outperforms existing attack methods, even image-specific and score-based attacks. In particular, our proposed method shows a superior success rate with less training time. The research also shows that Decision-BADGE can successfully deceive unseen victim models and accurately target specific classes.

Computer Vision and Pattern Recognition

Zhaoyu Chen,Zhengyang Shan,Jingwen Chang,Kaixun Jiang,Dingkang Yang,Yiting Cheng,Wenqiang Zhang

2024-02-02

Abstract:Semantic segmentation is a fundamental visual task that finds extensive deployment in applications with security-sensitive considerations. Nonetheless, recent work illustrates the adversarial vulnerability of semantic segmentation models to white-box attacks. However, its adversarial robustness against black-box attacks has not been fully explored. In this paper, we present the first exploration of black-box decision-based attacks on semantic segmentation. First, we analyze the challenges that semantic segmentation brings to decision-based attacks through the case study. Then, to address these challenges, we first propose a decision-based attack on semantic segmentation, called Discrete Linear Attack (DLA). Based on random search and proxy index, we utilize the discrete linear noises for perturbation exploration and calibration to achieve efficient attack efficiency. We conduct adversarial robustness evaluation on 5 models from Cityscapes and ADE20K under 8 attacks. DLA shows its formidable power on Cityscapes by dramatically reducing PSPNet's mIoU from an impressive 77.83% to a mere 2.14% with just 50 queries.

Computer Vision and Pattern Recognition,Cryptography and Security

Chao Li,Handing Wang,Jun Zhang,Wen Yao,Tingsong Jiang

DOI: https://doi.org/10.1109/tevc.2022.3151373

IF: 16.497

2022-01-01

IEEE Transactions on Evolutionary Computation

Abstract:Recent studies show that deep neural networks are vulnerable to adversarial attacks in the form of subtle perturbations to the input image, which leads the model to output wrong prediction. Such an attack can easily succeed by the existing white-box attack methods, where the perturbation is calculated based on the gradient of the target network. Unfortunately, the gradient is often unavailable in the real-world scenarios, which makes the black-box adversarial attack problems practical and challenging. In fact, they can be formulated as high-dimensional black-box optimization problems at the pixel level. Although evolutionary algorithms are well known for solving black-box optimization problems, they cannot efficiently deal with the high-dimensional decision space. Therefore, we propose an approximated gradient sign method using differential evolution (DE) for solving black-box adversarial attack problems. Unlike most existing methods, it is novel that the proposed method searches the gradient sign rather than the perturbation by a DE algorithm. Also, we transform the pixel-based decision space into a dimension-reduced decision space by combining the pixel differences from the input image to neighbor images, and two different techniques for selecting neighbor images are introduced to build the transferred decision space. In addition, six variants of the proposed method are designed according to the different neighborhood selection and optimization search strategies. Finally, the performance of the proposed method is compared with a number of the state-of-the-art adversarial attack algorithms on CIFAR-10 and ImageNet datasets. The experimental results suggest that the proposed method shows superior performance for solving black-box adversarial attack problems, especially nontargeted attack problems.

computer science, artificial intelligence, theory & methods

Yike Zhan,Baolin Zheng,Qian Wang,Ningping Mou,Binqing Guo,Qi Li,Chao Shen,Cong Wang

DOI: https://doi.org/10.1109/icme52920.2022.9859856

2022-01-01

Abstract:Recent works have empirically shown that neural network interpretability is susceptible to malicious manipulations. However, existing attacks against Interpretable Deep Learning Systems (IDLSes) all focus on the white-box setting, which is obviously unpractical in real-world scenarios. In this paper, we make the first attempt to attack IDLSes in the decision-based black-box setting. We propose a new framework called Dual Black-box Adversarial Attack (DBAA) which can generate adversarial examples that are misclassified as the target class, yet have very similar interpretations to their benign cases. We conduct comprehensive experiments on different combinations of classifiers and interpreters to illustrate the effectiveness of DBAA. Empirical results show that in all the cases, DBAA achieves high attack success rates and Intersection over Union (IoU) scores.

Jianshuo Dong,Han Qiu,Yiming Li,Tianwei Zhang,Yuanjie Li,Zeqi Lai,Chao Zhang,Shu-Tao Xia

DOI: https://doi.org/10.1109/iccv51070.2023.00432

2023-01-01

Abstract:Deep neural networks (DNNs) are widely deployed on real-world devices. Concerns regarding their security have gained great attention from researchers. Recently, a new weight modification attack called bit flip attack (BFA) was proposed, which exploits memory fault inject techniques such as row hammer to attack quantized models in the deployment stage. With only a few bit flips, the target model can be rendered useless as a random guesser or even be implanted with malicious functionalities. In this work, we seek to further reduce the number of bit flips. We propose a training-assisted bit flip attack, in which the adversary is involved in the training stage to build a high-risk model to release. This high-risk model, obtained coupled with a corresponding malicious model, behaves normally and can escape various detection methods. The results on benchmark datasets show that an adversary can easily convert this high-risk but normal model to a malicious one on victim's side by flipping only one critical bit on average in the deployment stage. Moreover, our attack still poses a significant threat even when defenses are employed. The codes for reproducing main experiments are available at https://github.com/jianshuod/TBA.

Hanbin Hong,Xinyu Zhang,Binghui Wang,Zhongjie Ba,Yuan Hong

2024-09-06

Abstract:Black-box adversarial attacks have demonstrated strong potential to compromise machine learning models by iteratively querying the target model or leveraging transferability from a local surrogate model. Recently, such attacks can be effectively mitigated by state-of-the-art (SOTA) defenses, e.g., detection via the pattern of sequential queries, or injecting noise into the model. To our best knowledge, we take the first step to study a new paradigm of black-box attacks with provable guarantees -- certifiable black-box attacks that can guarantee the attack success probability (ASP) of adversarial examples before querying over the target model. This new black-box attack unveils significant vulnerabilities of machine learning models, compared to traditional empirical black-box attacks, e.g., breaking strong SOTA defenses with provable confidence, constructing a space of (infinite) adversarial examples with high ASP, and the ASP of the generated adversarial examples is theoretically guaranteed without verification/queries over the target model. Specifically, we establish a novel theoretical foundation for ensuring the ASP of the black-box attack with randomized adversarial examples (AEs). Then, we propose several novel techniques to craft the randomized AEs while reducing the perturbation size for better imperceptibility. Finally, we have comprehensively evaluated the certifiable black-box attacks on the CIFAR10/100, ImageNet, and LibriSpeech datasets, while benchmarking with 16 SOTA black-box attacks, against various SOTA defenses in the domains of computer vision and speech recognition. Both theoretical and experimental results have validated the significance of the proposed attack. The code and all the benchmarks are available at \url{<a class="link-external link-https" href="https://github.com/datasec-lab/CertifiedAttack" rel="external noopener nofollow">this https URL</a>}.

Machine Learning,Cryptography and Security

Chen Ma,Shuyu Cheng,Li Chen,Jun‐Hai Yong

2020-01-01

Abstract:We propose a simple and highly query-efficient black-box adversarial attack named SWITCH, which has a state-of-the-art performance under $\ell_2$ and $\ell_\infty$ norms in the score-based setting. In the black box attack setting, designing query-efficient attacks remains an open problem. The high query efficiency of the proposed approach stems from the combination of transfer-based attacks and random-search-based ones. The surrogate model's gradient $\hat{\mathbf{g}}$ is exploited for the guidance, which is then switched if our algorithm detects that it does not point to the adversarial region by using a query, thereby keeping the objective loss function of the target model rising as much as possible. Two switch operations are available, i.e., SWITCH$_\text{neg}$ and SWITCH$_\text{rnd}$. SWITCH$_\text{neg}$ takes $-\hat{\mathbf{g}}$ as the new direction, which is reasonable under an approximate local linearity assumption. SWITCH$_\text{rnd}$ computes the gradient from another model, which is randomly selected from a large model set, to help bypass the potential obstacle in optimization. Experimental results show that these strategies boost the optimization process whereas following the original surrogate gradients does not work. In SWITCH, no query is used to estimate the gradient, and all the queries aim to determine whether to switch directions, resulting in unprecedented query efficiency. We demonstrate that our approach outperforms 10 state-of-the-art attacks on CIFAR-10, CIFAR-100 and TinyImageNet datasets. SWITCH can serve as a strong baseline for future black-box attacks. The PyTorch source code is released in this https URL .

Jiawang Bai,Baoyuan Wu,Yong Zhang,Yiming Li,Zhifeng Li,Shu-Tao Xia

2021-01-01

Abstract:To explore the vulnerability of deep neural networks (DNNs), many attack paradigms have been well studied, such as the poisoning-based backdoor attack in the training stage and the adversarial attack in the inference stage. In this paper, we study a novel attack paradigm, which modifies model parameters in the deployment stage for malicious purposes. Specifically, our goal is to misclassify a specific sample into a target class without any sample modification, while not significantly reduce the prediction accuracy of other samples to ensure the stealthiness. To this end, we formulate this problem as a binary integer programming (BIP), since the parameters are stored as binary bits (i.e., 0 and 1) in the memory. By utilizing the latest technique in integer programming, we equivalently reformulate this BIP problem as a continuous optimization problem, which can be effectively and efficiently solved using the alternating direction method of multipliers (ADMM) method. Consequently, the flipped critical bits can be easily determined through optimization, rather than using a heuristic strategy. Extensive experiments demonstrate the superiority of our method in attacking DNNs. The code is available at: https://github.com/jiawangbai/TA-LBF.

Boxi Wu,Heng Pan,Li Shen,Jindong Gu,Shuai Zhao,Zhifeng Li,Deng Cai,Xiaofei He,Wei Liu

DOI: https://doi.org/10.48550/arXiv.2106.04938

IF: 5.414

2021-06-09

Machine Learning

Abstract:It is well known that adversarial attacks can fool deep neural networks with imperceptible perturbations. Although adversarial training significantly improves model robustness, failure cases of defense still broadly exist. In this work, we find that the adversarial attacks can also be vulnerable to small perturbations. Namely, on adversarially-trained models, perturbing adversarial examples with a small random noise may invalidate their misled predictions. After carefully examining state-of-the-art attacks of various kinds, we find that all these attacks have this deficiency to different extents. Enlightened by this finding, we propose to counter attacks by crafting more effective defensive perturbations. Our defensive perturbations leverage the advantage that adversarial training endows the ground-truth class with smaller local Lipschitzness. By simultaneously attacking all the classes, the misled predictions with larger Lipschitzness can be flipped into correct ones. We verify our defensive perturbation with both empirical experiments and theoretical analyses on a linear model. On CIFAR10, it boosts the state-of-the-art model from 66.16% to 72.66% against the four attacks of AutoAttack, including 71.76% to 83.30% against the Square attack. On ImageNet, the top-1 robust accuracy of FastAT is improved from 33.18% to 38.54% under the 100-step PGD attack.