Jie Zhang,Bo Li,Jianghe Xu,Shuang Wu,Shouhong Ding,Lei Zhang,Chao Wu

DOI: https://doi.org/10.1109/CVPR52688.2022.01469

2022-01-01

Abstract:Classic black-box adversarial attacks can take advantage of transferable adversarial examples generated by a similar substitute model to successfully fool the target model. However, these substitute models need to be trained by target models' training data, which is hard to acquire due to privacy or transmission reasons. Recognizing the limited availability of real data for adversarial queries, recent works proposed to train substitute models in a data-free black-box scenario. However, their generative adversarial networks (GANs) based framework suffers from the convergence failure and the model collapse, resulting in low efficiency. In this paper, by rethinking the collaborative relationship between the generator and the substitute model, we design a novel black-box attack framework. The proposed method can efficiently imitate the target model through a small number of queries and achieve high attack success rate. The comprehensive experiments over six datasets demonstrate the effectiveness of our method against the state-of-the-art attacks. Especially, we conduct both label-only and probability-only attacks on the Microsoft Azure online model, and achieve a 100% attack success rate with only 0.46% query budget of the SOTA method [49].

Yang Bai,Yuyuan Zeng,Yong Jiang,Yisen Wang,Shu-Tao Xia,Weiwei Guo

DOI: https://doi.org/10.48550/arXiv.2009.11508

2020-09-25

Abstract:Deep neural networks (DNNs) have demonstrated excellent performance on various tasks, however they are under the risk of adversarial examples that can be easily generated when the target model is accessible to an attacker (white-box setting). As plenty of machine learning models have been deployed via online services that only provide query outputs from inaccessible models (e.g. Google Cloud Vision API2), black-box adversarial attacks (inaccessible target model) are of critical security concerns in practice rather than white-box ones. However, existing query-based black-box adversarial attacks often require excessive model queries to maintain a high attack success rate. Therefore, in order to improve query efficiency, we explore the distribution of adversarial examples around benign inputs with the help of image structure information characterized by a Neural Process, and propose a Neural Process based black-box adversarial attack (NP-Attack) in this paper. Extensive experiments show that NP-Attack could greatly decrease the query counts under the black-box setting.

Machine Learning

Wenli Xiao,Hao Jiang,Song Xia

DOI: https://doi.org/10.1109/ictc49638.2020.9123270

2020-01-01

Abstract:Machine learning can be misled by adversarial examples, which is formed by making small changes to the original data. Nowadays, there are kinds of methods to produce adversarial examples. However, they can not apply non-differentiable models, reduce the amount of calculations, and shorten the sample generation time at the same time. In this paper, we propose a new black box attack generating adversarial examples based on reinforcement learning. By using deep Q-learning network, we can train the substitute model and generate adversarial examples at the same time. Experimental results show that this method only needs 7.7ms to produce an adversarial example, which solves the problems of low efficiency, large amount of calculation and inapplicable to non-differentiable model.

Chenhao Lin,Sicong Han,Jiongli Zhu,Qian Li,Chao Shen,Youwei Zhang,Xiaohong Guan

DOI: https://doi.org/10.1016/j.ins.2023.04.008

IF: 8.1

2023-01-01

Information Sciences

Abstract:Recent research on adversarial attacks has highlighted the vulnerability of deep neural networks (DNNs) to perturbations. While existing studies generate adversarial perturbations spread across the entire image, these global perturbations may be visible to human eyes, reducing their effectiveness in real-world scenarios. To alleviate this issue, recent works propose to modify a limited number of input pixels to implement adversarial attacks. However, these approaches still have limitations in terms of both imperceptibility and efficiency. This paper proposes a novel plug-in framework called Sensitive Region-Aware Attack (SRA) to generate soft-label black-box adversarial examples using the sensitivity map and evolution strategies. First, a transferable black-box sensitivity map generation approach is proposed for identifying the sensitive regions of input images. To perform SRA with a limited amount of perturbed pixels, a dynamic l(0) and l(infinity) adjustment strategy is introduced. Furthermore, an adaptive evolution strategy is employed to optimize the selection of generated sensitive regions, allowing for the execution of effective and imperceptible attacks. Experimental results demonstrate that our SRA achieves an imperceptible soft-label black-box attack with a 96.43% success rate using less than 20% of the image pixels on ImageNet and a 100% success rate using 30% of the image pixels on CIFAR-10.

Haobo Wang,Chenxi Zhu,Yangjie Cao,Yan Zhuang,Jie Li,Xianfu Chen

DOI: https://doi.org/10.3390/electronics12040816

IF: 2.9

2023-01-01

Electronics

Abstract:Deep neural networks are susceptible to interference from deliberately crafted noise, which can lead to incorrect classification results. Existing approaches make less use of latent space information and conduct pixel-domain modification in the input space instead, which increases the computational cost and decreases the transferability. In this work, we propose an effective adversarial distribution searching-driven attack (ADSAttack) algorithm to generate adversarial examples against deep neural networks. ADSAttack introduces an affiliated network to search for potential distributions in image latent space for synthesizing adversarial examples. ADSAttack uses an edge-detection algorithm to locate low-level feature mapping in input space to sketch the minimum effective disturbed area. Experimental results demonstrate that ADSAttack achieves higher transferability, better imperceptible visualization, and faster generation speed compared to traditional algorithms. To generate 1000 adversarial examples, ADSAttack takes 11.08s and, on average, achieves a success rate of 98.01%.

Ziang Yan,Yiwen Guo,Changshui Zhang

2019-01-01

Abstract:Unlike the white-box counterparts that are widely studied and readily accessible, adversarial examples in black-box settings are generally more Herculean on account of the difficulty of estimating gradients. Many methods achieve the task by issuing numerous queries to target classification systems, which makes the whole procedure costly and suspicious to the systems. In this paper, we aim at reducing the query complexity of black-box attacks in this category. We propose to exploit gradients of a few reference models which arguably span some promising search subspaces. Experimental results show that, in comparison with the state-of-the-arts, our method can gain up to 2x and 4x reductions in the requisite mean and medium numbers of queries with much lower failure rates even if the reference models are trained on a small and inadequate dataset disjoint to the one for training the victim model. Code and models for reproducing our results are available at https://github.com/ZiangYan/subspace-attack.pytorch.

YiGui Luo,RuiJia Yang,Wei Sha,WeiYi Ding,YouTeng Sun,YiSi Wang

DOI: https://doi.org/10.48550/arXiv.1906.09072

2019-06-21

Abstract:Many studies have been done to prove the vulnerability of neural networks to adversarial example. A trained and well-behaved model can be fooled by a visually imperceptible perturbation, i.e., an originally correctly classified image could be misclassified after a slight perturbation. In this paper, we propose a black-box strategy to attack such networks using an evolution algorithm. First, we formalize the generation of an adversarial example into the optimization problem of perturbations that represent the noise added to an original image at each pixel. To solve this optimization problem in a black-box way, we find that an evolution algorithm perfectly meets our requirement since it can work without any gradient information. Therefore, we test various evolution algorithms, including a simple genetic algorithm, a parameter-exploring policy gradient, an OpenAI evolution strategy, and a covariance matrix adaptive evolution strategy. Experimental results show that a covariance matrix adaptive evolution Strategy performs best in this optimization problem. Additionally, we also perform several experiments to explore the effect of different regularizations on improving the quality of an adversarial example.

Computer Vision and Pattern Recognition

Chenshuang Zhang,Chaoning Zhang,Taegoo Kang,Donghun Kim,Sung-Ho Bae,In So Kweon

2023-05-08

Abstract:Segment Anything Model (SAM) has attracted significant attention recently, due to its impressive performance on various downstream tasks in a zero-short manner. Computer vision (CV) area might follow the natural language processing (NLP) area to embark on a path from task-specific vision models toward foundation models. However, deep vision models are widely recognized as vulnerable to adversarial examples, which fool the model to make wrong predictions with imperceptible perturbation. Such vulnerability to adversarial attacks causes serious concerns when applying deep models to security-sensitive applications. Therefore, it is critical to know whether the vision foundation model SAM can also be fooled by adversarial attacks. To the best of our knowledge, our work is the first of its kind to conduct a comprehensive investigation on how to attack SAM with adversarial examples. With the basic attack goal set to mask removal, we investigate the adversarial robustness of SAM in the full white-box setting and transfer-based black-box settings. Beyond the basic goal of mask removal, we further investigate and find that it is possible to generate any desired mask by the adversarial attack.

Computer Vision and Pattern Recognition,Artificial Intelligence

Andrew Ilyas,Logan Engstrom,Anish Athalye,Jessy Lin

DOI: https://doi.org/10.48550/arXiv.1712.07113

2017-12-19

Computer Vision and Pattern Recognition

Abstract:Note that this paper is superceded by "Black-Box Adversarial Attacks with Limited Queries and Information." Current neural network-based image classifiers are susceptible to adversarial examples, even in the black-box setting, where the attacker is limited to query access without access to gradients. Previous methods --- substitute networks and coordinate-based finite-difference methods --- are either unreliable or query-inefficient, making these methods impractical for certain problems. We introduce a new method for reliably generating adversarial examples under more restricted, practical black-box threat models. First, we apply natural evolution strategies to perform black-box attacks using two to three orders of magnitude fewer queries than previous methods. Second, we introduce a new algorithm to perform targeted adversarial attacks in the partial-information setting, where the attacker only has access to a limited number of target classes. Using these techniques, we successfully perform the first targeted adversarial attack against a commercially deployed machine learning system, the Google Cloud Vision API, in the partial information setting.

Lei Xu,Junhai Zhai

DOI: https://doi.org/10.26599/tst.2023.9010004

2024-04-01

Abstract:Deep neural network (DNN) has strong representation learning ability, but it is vulnerable and easy to be fooled by adversarial examples. In order to handle the vulnerability of DNN, many methods have been proposed. The general idea of existing methods is to reduce the chance of DNN models being fooled by observing some designed adversarial examples, which are generated by adding perturbations to the original images. In this paper, we propose a novel adversarial example generation method, called DCVAE-adv. Different from the existing methods, DCVAE-adv constructs adversarial examples by mixing both explicit and implicit perturbations without using original images. Furthermore, the proposed method can be applied to both white box and black box attacks. In addition, in the inference stage, the adversarial examples can be generated without loading the original images into memory, which greatly reduces the memory overhead. We compared DCVAE-adv with three most advanced adversarial attack algorithms: FGSM, AdvGAN, and AdvGAN++. The experimental results demonstrate that DCVAE-adv is superior to these state-of-the-art methods in terms of attack success rate and transfer ability for targeted attack. Our code is available at https://github.com/xzforeverlove/DCVAE-adv.

computer science, information systems,engineering, electrical & electronic, software engineering

Anli Yan,Xiaozhang Liu,Wanman Li,Hongwei Ye,Lang Li

DOI: https://doi.org/10.1016/j.bdr.2024.100451

IF: 3.3

2024-03-28

Big Data Research

Abstract:Neural network-based classifiers are vulnerable to adversarial example attacks even in a black-box setting. Existing adversarial example generation technologies mainly rely on optimization-based attacks, which optimize the objective function by iterative input perturbation. While being able to craft adversarial examples, these techniques require big budgets. Latest transfer-based attacks, though being limited queries, also have a disadvantage of low attack success rate. In this paper, we propose an adversarial example attack method called MEAttack using the model-agnostic explanation technology, which can more efficiently generate adversarial examples in the black-box setting with limited queries. The core idea is to design a novel model-agnostic explanation method for target models, and generate adversarial examples based on model explanations. We experimentally demonstrate that MEAttack outperforms the state-of-the-art attack technology, i.e., AutoZOOM. The success rate of MEAttack is 4.54%-47.42% higher than AutoZOOM, and its query efficiency is reduced by 2.6-4.2 times. Experimental results show that MEAttack is efficient in terms of both attack success rate and query efficiency.

computer science, information systems, artificial intelligence, theory & methods

Linjun Zhou,Peng Cui,Xingxuan Zhang,Yinan Jiang,Shiqiang Yang

DOI: https://doi.org/10.1109/cvpr52688.2022.01482

2022-01-01

Abstract:Black-box adversarial attack has aroused much research attention for its difficulty on nearly no available information of the attacked model and the additional constraint on the query budget. A common way to improve attack efficiency is to transfer the gradient information of a white-box substitute model trained on an extra dataset. In this paper, we deal with a more practical setting where a pre-trained white-box model with network parameters is provided without extra training data. To solve the model mismatch problem between the white-box and black-box models, we propose a novel algorithm EigenBA by systematically integrating gradient-based white-box method and zeroth-order optimization in black-box methods. We theoretically show the optimal directions of perturbations for each step are closely related to the right singular vectors of the Jacobian matrix of the pretrained white-box model. Extensive experiments on ImageNet, CIFAR-10 and WebVision show that EigenBA can consistently and significantly outperform state-of-the-art baselines in terms of success rate and attack efficiency.

YU Tingyue,WANG Shen,ZHANG Chunrui,WANG Zhenbang,LI Yetian,YU Xiangzhan

DOI: https://doi.org/10.1049/cje.2021.06.009

IF: 1.019

2021-09-01

Chinese Journal of Electronics

Abstract:In recent years, adversarial examples has become one of the most important security threats in deep learning applications. For testing the security of deep learning models in adversarial environment, many researches focus on generating adversarial examples quickly and efficiently. In order to solve the problems of existing generative adversarial networks based methods which can not effectively generate the targeted adversarial examples in black box settings, and to improve the temporal performance of gradient-based generating methods, an adversarial examples generating method based on conditional Variational autoencoder (cVAE) is proposed in this paper, where a cVAE is designed elaborately to generate adversarial examples without most of the detailed information about the attacked deep learning models, of which the output can be controlled arbitrarily by these crafted inputs, used to test the robustness of deep learning models against adversarial examples. The experimental results show that the proposed method can achieve a comparable attack success rate and a better temporal performance than the existing gradient-based generating methods in black box environment.

engineering, electrical & electronic

Phoenix Williams,Ke Li

DOI: https://doi.org/10.48550/arXiv.2203.04405

2022-03-07

Abstract:Deep neural networks (DNNs) have achieved state-of-the-art performance in many tasks but have shown extreme vulnerabilities to attacks generated by adversarial examples. Many works go with a white-box attack that assumes total access to the targeted model including its architecture and gradients. A more realistic assumption is the black-box scenario where an attacker only has access to the targeted model by querying some input and observing its predicted class probabilities. Different from most prevalent black-box attacks that make use of substitute models or gradient estimation, this paper proposes a gradient-free attack by using a concept of evolutionary art to generate adversarial examples that iteratively evolves a set of overlapping transparent shapes. To evaluate the effectiveness of our proposed method, we attack three state-of-the-art image classification models trained on the CIFAR-10 dataset in a targeted manner. We conduct a parameter study outlining the impact the number and type of shapes have on the proposed attack's performance. In comparison to state-of-the-art black-box attacks, our attack is more effective at generating adversarial examples and achieves a higher attack success rate on all three baseline models.

Cryptography and Security,Machine Learning,Neural and Evolutionary Computing

Chenming Yang,Liang Zhou,Hui Wen,Yue Wu

DOI: https://doi.org/10.1109/infocomwkshps50562.2020.9162699

2020-01-01

Abstract:Semi-supervised machine learning models, especially deep neural networks, have been widely used in network anomaly detection for their capability of capturing patterns in normal data. However, the models face security challenges when an attacker has obtained their full details. In this paper, we propose a universal adversarial sample generator (U-ASG), to perform white-box adversarial attacks on autoencoder-based semi-supervised network anomaly detection (SSNAD) systems. The purpose of adversarial attacks is to generate small adversarial perturbations and add them to targeted anomalous samples to fly under the radar. We model the generation process of adversarial perturbations as an optimization problem, in which we minimize the reconstruction errors of the adversarial samples through the trained autoencoder and approximate it to solve. Furthermore, to improve the attack performance against the variational autoencoder (VAE), which is robust to tiny perturbations through uncertainty modeling, we design a mechanism to weaken its robustness by introducing a variance regularizer to the optimization. Simulation results show that the adversarial attacks generated by our U-ASG can effectively degrade the performance of the autoencoder-based SSNAD systems.

Yali Du,Meng Fang,Jinfeng Yi,Jun Cheng,Dacheng Tao

DOI: https://doi.org/10.1145/3270101.3270106

2018-01-01

Abstract:Recent studies have highlighted that deep neural networks (DNNs) are vulnerable to adversarial attacks, even in a black-box scenario. However, most of the existing black-box attack algorithms need to make a huge amount of queries to perform attacks, which is not practical in the real world. We note one of the main reasons for the massive queries is that the adversarial example is required to be visually similar to the original image, but in many cases, how adversarial examples look like does not matter much. It inspires us to introduce a new attack called input-free attack, under which an adversary can choose an arbitrary image to start with and is allowed to add perceptible perturbations on it. Following this approach, we propose two techniques to significantly reduce the query complexity. First, we initialize an adversarial example with a gray color image on which every pixel has roughly the same importance for the target model. Then we shrink the dimension of the attack space by perturbing a small region and tiling it to cover the input image. To make our algorithm more effective, we stabilize a projected gradient ascent algorithm with momentum, and also propose a heuristic approach for region size selection. Recent studies have highlighted that deep neural networks (DNNs) are vulnerable to adversarial attacks, even in a black-box scenario. However, most of the existing black-box attack algorithms need to make a huge amount of queries to perform attacks, which is not practical in the real world. We note one of the main reasons for the massive queries is that the adversarial example is required to be visually similar to the original image, but in many cases, how adversarial examples look like does not matter much. It inspires us to introduce a new attack called input-free attack, under which an adversary can choose an arbitrary image to start with and is allowed to add perceptible perturbations on it. Following this approach, we propose two techniques to significantly reduce the query complexity. First, we initialize an adversarial example with a gray color image on which every pixel has roughly the same importance for the target model. Then we shrink the dimension of the attack space by perturbing a small region and tiling it to cover the input image. To make our algorithm more effective, we stabilize a projected gradient ascent algorithm with momentum, and also propose a heuristic approach for region size selection. Through extensive experiments, we show that with only 1,701 queries on average, we can perturb a gray image to any target class of ImageNet with a 100% success rate on InceptionV3. Besides, our algorithm has successfully defeated two real-world systems, the Clarifai food detection API and the Baidu Animal Identification API.

Xinxin Fan,Mengfan Li,Jia Zhou,Quanliang Jing,Chi Lin,Yunfeng Lu,Jingping Bi

DOI: https://doi.org/10.1109/tce.2024.3358179

2024-01-01

IEEE Transactions on Consumer Electronics

Abstract:This paper focuses on the transferability problem of adversarial examples towards black-box attack scenarios wherein model information such as the neural network structure is unavailable. To tackle this predicament, we propose a new adversarial example-generating scheme through bridging a data-modal conversion regime to spawn transferable adversarial examples without referring to the substitute model. Three contributions are mainly involved: i) we figure out an integrated framework to produce transferable adversarial examples through resorting to three components, i.e., image-to-graph conversion, perturbation on converted graph and graph-to-image inversion; ii) upon the conversion from image to graph, we pinpoint critical graph characteristics to implement perturbation using gradient-oriented and optimization-oriented adversarial attacks, then, invert the perturbation on graph into the pixel disturbance correspondingly; iii) multi-facet experiments verify the reasonability and effectiveness with the comparison to three baseline methods. Our work has two novelties: first, without referring to the substitute model, our proposed scheme does not need to acquire any information about the victim model in advance; second, we explore the possibility that inferring the adversarial features of image data through drawing support from network/graph science. In addition, we present three key issues worth deeper discussion, along with these open issues, our work deserves more studies in future.

telecommunications,engineering, electrical & electronic

Da-Tian Peng,Jianmin Dong,Mingjiang Zhang,Jungang Yang,Zhen Wang

DOI: https://doi.org/10.1109/tifs.2024.3402385

IF: 7.231

2024-06-07

IEEE Transactions on Information Forensics and Security

Abstract:Extensive studies have revealed that the prevalent deep neural networks (DNNs) are vulnerable to adversarial examples in image recognition tasks. However, previous adversarial example attacks always work in either the global semantic space or local semantic attributes, resulting that these attacks may violate the sophisticated attackers' least-effort intentions, whereas adversarial perturbations due to the explicit semantic variations are probably perceived by human vision. In this paper, we propose a two-phase optimization modeling framework to devise a novel Critical Semantic Fusion guided least-effort Adversarial example attack (CSFAdv). Specifically, the first phase fuses the coarse-&fine-grained semantic maps to localize the latent critical semantic attention region (CSAR) from genuine image. Under the friendly guidance of CSAR-feasibility, the second phase absorbs the ReLU-penalization, -regularization and -limitation to formulate a Top-1&Top-2 misclassification optimization problem, which can characterize the holistic least-effort tampering behaviors embodied in localizing the most critical semantic space, doctoring the least amounts of pixels, injecting the limited amplitudes of perturbations and launching the most readily adversarial attacks. Further, to solve this NP-hard problem mildly, we adapt the gradient renewal by means of merging the momentum (past gradient), present gradient and Hessian (future gradient) to formalize a generalized gradient descent algorithm for generating an optimal adversarial image. Finally, we perform numerical experiments to verify the validity of our CSFAdv against seven types of DNN-based image classifiers on three public ImageNet, MNIST and CIFAR10. Empirical illustrations from ten evaluations indices shed light on the superiority of CSFAdv over eight kinds of state-of-the-art attacks and also offer key clues in reinforcing the DNNs' robustness.

computer science, theory & methods,engineering, electrical & electronic

Xinjie Feng,Hongxun Yao,Wenbin Che,Shengping Zhang

DOI: https://doi.org/10.1007/978-3-030-37731-1_32

2019-01-01

Abstract:Deep neural networks (DNNs) are vulnerable to adversarial examples. Generally speaking adversarial examples are defined by adding input samples a small-magnitude perturbation, which is hardly misleading human observers' decision but would lead to misclassifications for a well trained models. Most of existing iterative adversarial attack methods suffer from low success rates in fooling model in a black-box manner. And we find that it is because perturbation neutralize each other in iterative process. To address this issue, we propose a novel boosted iterative method to effectively promote success rates. We conduct the experiments on ImageNet dataset, with five models normally trained for classification. The experimental results show that our proposed strategy can significantly improve success rates of fooling models in a black-box manner. Furthermore, it also outperforms the momentum iterative method (MI-FSGM), which won the first places in NeurIPS Non-targeted Adversarial Attack and Targeted Adversarial Attack competitions.

Sheng Zheng,Chaoning Zhang,Xinhong Hao

2024-02-28

Abstract:Deep recognition models are widely vulnerable to adversarial examples, which change the model output by adding quasi-imperceptible perturbation to the image input. Recently, Segment Anything Model (SAM) has emerged to become a popular foundation model in computer vision due to its impressive generalization to unseen data and tasks. Realizing flexible attacks on SAM is beneficial for understanding the robustness of SAM in the adversarial context. To this end, this work aims to achieve a targeted adversarial attack (TAA) on SAM. Specifically, under a certain prompt, the goal is to make the predicted mask of an adversarial example resemble that of a given target image. The task of TAA on SAM has been realized in a recent arXiv work in the white-box setup by assuming access to prompt and model, which is thus less practical. To address the issue of prompt dependence, we propose a simple yet effective approach by only attacking the image encoder. Moreover, we propose a novel regularization loss to enhance the cross-model transferability by increasing the feature dominance of adversarial images over random natural images. Extensive experiments verify the effectiveness of our proposed simple techniques to conduct a successful black-box TAA on SAM.

Computer Vision and Pattern Recognition