Jie Zhang,Bo Li,Jianghe Xu,Shuang Wu,Shouhong Ding,Lei Zhang,Chao Wu

DOI: https://doi.org/10.1109/CVPR52688.2022.01469

2022-01-01

Abstract:Classic black-box adversarial attacks can take advantage of transferable adversarial examples generated by a similar substitute model to successfully fool the target model. However, these substitute models need to be trained by target models' training data, which is hard to acquire due to privacy or transmission reasons. Recognizing the limited availability of real data for adversarial queries, recent works proposed to train substitute models in a data-free black-box scenario. However, their generative adversarial networks (GANs) based framework suffers from the convergence failure and the model collapse, resulting in low efficiency. In this paper, by rethinking the collaborative relationship between the generator and the substitute model, we design a novel black-box attack framework. The proposed method can efficiently imitate the target model through a small number of queries and achieve high attack success rate. The comprehensive experiments over six datasets demonstrate the effectiveness of our method against the state-of-the-art attacks. Especially, we conduct both label-only and probability-only attacks on the Microsoft Azure online model, and achieve a 100% attack success rate with only 0.46% query budget of the SOTA method [49].

Chen Lin,Si Chen,Meifang Zeng,Sheng Zhang,Min Gao,Hui Li

DOI: https://doi.org/10.1109/tnnls.2022.3183210

IF: 14.255

2022-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:Due to the pivotal role of recommender systems (RS) in guiding customers toward the purchase, there is a natural motivation for unscrupulous parties to spoof RS for profits. In this article, we study shilling attacks where an adversarial party injects a number of fake user profiles for improper purposes. Conventional Shilling Attack approaches lack attack transferability (i.e., attacks are not effective on some victim RS models) and/or attack invisibility (i.e., injected profiles can be easily detected). To overcome these issues, we present learning to generate fake user profiles (Leg-UP), a novel attack model based on the generative adversarial network. Leg-UP learns user behavior patterns from real users in the sampled "templates" and constructs fake user profiles. To simulate real users, the generator in Leg-UP directly outputs discrete ratings. To enhance attack transferability, the parameters of the generator are optimized by maximizing the attack performance on a surrogate RS model. To improve attack invisibility, Leg-UP adopts a discriminator to guide the generator to generate undetectable fake user profiles. Experiments on benchmarks have shown that Leg-UP exceeds state-of-the-art shilling attack methods on a wide range of victim RS models. The source code of our work is available at: https://github.com/XMUDM/ShillingAttack.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Chen Lin,Si Chen,Hui Li,Yanghua Xiao,Lianyun Li,Qian Yang

DOI: https://doi.org/10.1145/3340531.3411884

2020-01-01

Abstract:Recommendation Systems (RS) have become an essential part of many online services. Due to its pivotal role in guiding customers towards purchasing, there is a natural motivation for unscrupulous parties to spoof RS for profits. In this paper, we study the shilling attack: a subsistent and profitable attack where an adversarial party injects a number of user profiles to promote or demote a target item. Conventional shilling attack models are based on simple heuristics that can be easily detected, or directly adopt adversarial attack methods without a special design for RS. Moreover, the study on the attack impact on deep learning based RS is missing in the literature, making the effects of shilling attack against real RS doubtful. We present a novel Augmented Shilling Attack framework (AUSH) and implement it with the idea of Generative Adversarial Network. AUSH is capable of tailoring attacks against RS according to budget and complex attack goals, such as targeting a specific user group. We experimentally show that the attack impact of AUSH is noticeable on a wide range of RS including both classic and modern deep learning based RS, while it is virtually undetectable by the state-ofthe-art attack detection model.

Xuxin Zhang,Jian Chen,Rui Zhang,Chen Wang,Ling Liu

DOI: https://doi.org/10.1109/tifs.2021.3117078

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Recommender systems (RS) have become an essential component of web services due to their excellent performance. Despite their great success, RS have proved to be vulnerable to data poisoning attacks, which inject well-crafted fake profiles into RS, so that the target items can be maliciously recommended. In this paper, we first reveal that existing poisoning attacks in RS can be detected effortlessly, as the features of the generated fake profiles cannot be inconsistent with those of normal profiles all the time. We further propose RecUP, a poisoning attack in RS that can generate plausible profiles whose features stay almost the same as the normal ones, based on Generative Adversarial Networks (GAN). To tailor GAN for poisoning in RS, we develop HRGAN and devise a loss function to guide the training of the generator, along with a masking operation with selected potentially powerful profiles, so that the final generated profiles can perform malicious recommendations as expected. Evaluations against various defense methods using three real-world datasets show that, RecUP can generate the most plausible profiles while maintaining comparable attacking performance compared with state-of-the-art attacks.

computer science, theory & methods,engineering, electrical & electronic

Xiaoyu You,Chi Li,Daizong Ding,Mi Zhang,Fuli Feng,Xudong Pan,Min Yang

DOI: https://doi.org/10.1145/3543507.3583289

2023-01-01

Abstract:Graph neural network (GNN) based recommendation models are observed to be more vulnerable against carefully-designed malicious records injected into the system, i.e., shilling attacks, which manipulate the recommendation to common users and therefore impair user trust. In this paper, we for the first time conduct a systematic study on the vulnerability of GNN based recommendation model against the shilling attack. With the aid of theoretical analysis, we attribute the root cause of the vulnerability to its neighborhood aggregation mechanism, which could make the negative impact of attacks propagate rapidly in the system. To restore the robustness of GNN based recommendation model, the key factor lies in detecting malicious records in the system and preventing the propagation of misinformation. To this end, we construct a user-user graph to capture the patterns of malicious behaviors and design a novel GNN based detector to identify fake users. Furthermore, we develop a data augmentation strategy and a joint learning paradigm to train the recommender model and the proposed detector. Extensive experiments on benchmark datasets validate the enhanced robustness of the proposed method in resisting various types of shilling attacks and identifying fake users, e.g., our proposed method fully mitigating the impact of popularity attacks on target items up to , and improving the accuracy of detecting fake users on the Gowalla dataset by .

Hung-Yun Chiang,Yi-Syuan Chen,Yun-Zhu Song,Hong-Han Shuai,Jason S. Chang

DOI: https://doi.org/10.48550/arXiv.2306.16526

2023-06-27

Information Retrieval

Abstract:Review-Based Recommender Systems (RBRS) have attracted increasing research interest due to their ability to alleviate well-known cold-start problems. RBRS utilizes reviews to construct the user and items representations. However, in this paper, we argue that such a reliance on reviews may instead expose systems to the risk of being shilled. To explore this possibility, in this paper, we propose the first generation-based model for shilling attacks against RBRSs. Specifically, we learn a fake review generator through reinforcement learning, which maliciously promotes items by forcing prediction shifts after adding generated reviews to the system. By introducing the auxiliary rewards to increase text fluency and diversity with the aid of pre-trained language models and aspect predictors, the generated reviews can be effective for shilling with high fidelity. Experimental results demonstrate that the proposed framework can successfully attack three different kinds of RBRSs on the Amazon corpus with three domains and Yelp corpus. Furthermore, human studies also show that the generated reviews are fluent and informative. Finally, equipped with Attack Review Generators (ARGs), RBRSs with adversarial training are much more robust to malicious reviews.

Chenhan Zhang,Shui Yu,Zhiyi Tian,James J.Q. Yu

DOI: https://doi.org/10.1145/3615336

IF: 16.6

2023-08-16

ACM Computing Surveys

Abstract:Generative Adversarial Networks (GANs) are a remarkable creation with regard to deep generative models. Thanks to their ability to learn from complex data distributions, GANs have been credited with the capacity to generate plausible data examples, which have been widely applied to various data generation tasks over image, text, and audio. However, as with any powerful technology, GANs have a flip side: their capability to generate realistic data can be exploited for malicious purposes. Many recent studies have demonstrated the security and privacy (S&P) threats brought by GANs, especially the attacks on machine learning (ML) systems. Nevertheless, so far as we know, there is no existing survey that has systematically categorized and discussed the threats and strategies of these GAN-based attack methods. In this paper, we provide a comprehensive survey of GAN-based attacks and countermeasures. We summarize and articulate: (1) what S&P threats of GANs expose to ML systems; (2) why GANs are useful for certain attacks; (3) what strategies can be used for GAN-based attacks; (4) what countermeasures can be effective to GAN-based attacks. Finally, we provide several promising research directions combining the existing limitations of GAN-based studies and the prevailing trend in the associated research fields.

computer science, theory & methods

Shijie Wang,Wenqi Fan,Xiao-yong Wei,Xiaowei Mei,Shanru Lin,Qing Li

2024-09-16

Abstract:The rise of online social networks has facilitated the evolution of social recommender systems, which incorporate social relations to enhance users' decision-making process. With the great success of Graph Neural Networks (GNNs) in learning node representations, GNN-based social recommendations have been widely studied to model user-item interactions and user-user social relations simultaneously. Despite their great successes, recent studies have shown that these advanced recommender systems are highly vulnerable to adversarial attacks, in which attackers can inject well-designed fake user profiles to disrupt recommendation performances. While most existing studies mainly focus on argeted attacks to promote target items on vanilla recommender systems, untargeted attacks to degrade the overall prediction performance are less explored on social recommendations under a black-box scenario. To perform untargeted attacks on social recommender systems, attackers can construct malicious social relationships for fake users to enhance the attack performance. However, the coordination of social relations and item profiles is challenging for attacking black-box social recommendations. To address this limitation, we first conduct several preliminary studies to demonstrate the effectiveness of cross-community connections and cold-start items in degrading recommendations performance. Specifically, we propose a novel framework MultiAttack based on multi-agent reinforcement learning to coordinate the generation of cold-start item profiles and cross-community social relations for conducting untargeted attacks on black-box social recommendations. Comprehensive experiments on various real-world datasets demonstrate the effectiveness of our proposed attacking framework under the black-box setting.

Social and Information Networks,Artificial Intelligence

Shiyi Yang,Lina Yao,Chen Wang,Xiwei Xu,Liming Zhu

2024-02-14

Abstract:Recent studies have shown that recommender systems (RSs) are highly vulnerable to data poisoning attacks. Understanding attack tactics helps improve the robustness of RSs. We intend to develop efficient attack methods that use limited resources to generate high-quality fake user profiles to achieve 1) transferability among black-box RSs 2) and imperceptibility among detectors. In order to achieve these goals, we introduce textual reviews of products to enhance the generation quality of the profiles. Specifically, we propose a novel attack framework named R-Trojan, which formulates the attack objectives as an optimization problem and adopts a tailored transformer-based generative adversarial network (GAN) to solve it so that high-quality attack profiles can be produced. Comprehensive experiments on real-world datasets demonstrate that R-Trojan greatly outperforms state-of-the-art attack methods on various victim RSs under black-box settings and show its good imperceptibility.

Cryptography and Security,Artificial Intelligence

Yuzhen Tong,Yadan Luo,Zheng Zhang,Shazia Sadiq,Peng Cui

DOI: https://doi.org/10.1109/ICDEW.2019.00-16

2019-01-01

Abstract:Recommendation systems have been a core part of daily Internet life. Conventional recommendation models hardly defend adversaries due to the natural noise like misclicking. Recent researches on GAN-based recommendation systems can improve the robustness of the learning models, yielding the state-of-the-art performance. The basic idea is to adopt an interplay minimax game on two recommendation systems by picking negative samples as fake items and employ reinforcement learning policy. However, such strategy may lead to mode collapse and result in high vulnerability to adversarial perturbations on its model parameters. In this paper, we propose a new collaborative framework, namely Collaborative Generative Adversarial Network (CGAN), which adopts Variational Auto-encoder (VAE) as the generator and performs adversarial training in the continuous embedding space. The formulation of CGAN has two advantages: 1) its auto-encoder takes the role of generator to mimic the true distribution of users preferences over items by capturing subtle latent factors underlying user-item interactions; 2) the adversarial training in continuous space enhances models robustness and performance. Extensive experiments conducted on two real-world benchmark recommendation datasets demonstrate the superior performance of our CGAN in comparison with the state-of-the-art GAN-based methods.

Jingfan Chen,Wenqi Fan,Guanghui Zhu,Xiangyu Zhao,Chunfeng Yuan,Qing Li,Yihua Huang

DOI: https://doi.org/10.1145/3534678.3539359

2022-07-21

Abstract:Recent studies have shown that deep neural networks-based recommender systems are vulnerable to adversarial attacks, where attackers can inject carefully crafted fake user profiles (i.e., a set of items that fake users have interacted with) into a target recommender system to achieve malicious purposes, such as promote or demote a set of target items. Due to the security and privacy concerns, it is more practical to perform adversarial attacks under the black-box setting, where the architecture/parameters and training data of target systems cannot be easily accessed by attackers. However, generating high-quality fake user profiles under black-box setting is rather challenging with limited resources to target systems. To address this challenge, in this work, we introduce a novel strategy by leveraging items' attribute information (i.e., items' knowledge graph), which can be publicly accessible and provide rich auxiliary knowledge to enhance the generation of fake user profiles. More specifically, we propose a knowledge graph-enhanced black-box attacking framework (KGAttack) to effectively learn attacking policies through deep reinforcement learning techniques, in which knowledge graph is seamlessly integrated into hierarchical policy networks to generate fake user profiles for performing adversarial black-box attacks. Comprehensive experiments on various real-world datasets demonstrate the effectiveness of the proposed attacking framework under the black-box setting.

Machine Learning,Artificial Intelligence,Information Retrieval

Jiaxi Tang,Hongyi Wen,Ke Wang

DOI: https://doi.org/10.1145/3383313.3412243

2020-08-28

Abstract:Recommender systems play an important role in modern information and e-commerce applications. While increasing research is dedicated to improving the relevance and diversity of the recommendations, the potential risks of state-of-the-art recommendation models are under-explored, that is, these models could be subject to attacks from malicious third parties, through injecting fake user interactions to achieve their purposes. This paper revisits the adversarially-learned injection attack problem, where the injected fake user `behaviors' are learned locally by the attackers with their own model -- one that is potentially different from the model under attack, but shares similar properties to allow attack transfer. We found that most existing works in literature suffer from two major limitations: (1) they do not solve the optimization problem precisely, making the attack less harmful than it could be, (2) they assume perfect knowledge for the attack, causing the lack of understanding for realistic attack capabilities. We demonstrate that the exact solution for generating fake users as an optimization problem could lead to a much larger impact. Our experiments on a real-world dataset reveal important properties of the attack, including attack transferability and its limitations. These findings can inspire useful defensive methods against this possible existing attack.

Machine Learning,Information Retrieval

Toan Nguyen Thanh,Nguyen Duc Khang Quach,Thanh Tam Nguyen,Thanh Trung Huynh,Viet Hung Vu,Phi Le Nguyen,Jun Jo,Quoc Viet Hung Nguyen

DOI: https://doi.org/10.1145/3567420

IF: 4.657

2023-02-07

ACM Transactions on Information Systems

Abstract:With recent advancements in graph neural networks (GNN), GNN-based recommender systems (gRS) have achieved remarkable success in the past few years. Despite this success, existing research reveals that gRSs are still vulnerable to poison attacks , in which the attackers inject fake data to manipulate recommendation results as they desire. This might be due to the fact that existing poison attacks (and countermeasures) are either model-agnostic or specifically designed for traditional recommender algorithms (e.g., neighborhood-based, matrix-factorization-based, or deep-learning-based RSs) that are not gRS. As gRSs are widely adopted in the industry, the problem of how to design poison attacks for gRSs has become a need for robust user experience. Herein, we focus on the use of poison attacks to manipulate item promotion in gRSs. Compared to standard GNNs, attacking gRSs is more challenging due to the heterogeneity of network structure and the entanglement between users and items. To overcome such challenges, we propose GSPAttack —a generative surrogate-based poison attack framework for gRSs. GSPAttack tailors a learning process to surrogate a recommendation model as well as generate fake users and user-item interactions while preserving the data correlation between users and items for recommendation accuracy. Although maintaining high accuracy for other items rather than the target item seems counterintuitive, it is equally crucial to the success of a poison attack. Extensive evaluations on four real-world datasets revealed that GSPAttack outperforms all baselines with competent recommendation performance and is resistant to various countermeasures.

computer science, information systems

Min Gao,Junwei Zhang,Junliang Yu,Jundong Li,Junhao Wen,Qingyu Xiong

DOI: https://doi.org/10.48550/arXiv.2003.02474

2020-09-20

Abstract:Recommender systems (RSs) now play a very important role in the online lives of people as they serve as personalized filters for users to find relevant items from an array of options. Owing to their effectiveness, RSs have been widely employed in consumer-oriented e-commerce platforms. However, despite their empirical successes, these systems still suffer from two limitations: data noise and data sparsity. In recent years, generative adversarial networks (GANs) have garnered increased interest in many fields, owing to their strong capacity to learn complex real data distributions; their abilities to enhance RSs by tackling the challenges these systems exhibit have also been demonstrated in numerous studies. In general, two lines of research have been conducted, and their common ideas can be summarized as follows: (1) for the data noise issue, adversarial perturbations and adversarial sampling-based training often serve as a solution; (2) for the data sparsity issue, data augmentation--implemented by capturing the distribution of real data under the minimax framework--is the primary coping strategy. To gain a comprehensive understanding of these research efforts, we review the corresponding studies and models, organizing them from a problem-driven perspective. More specifically, we propose a taxonomy of these models, along with their detailed descriptions and advantages. Finally, we elaborate on several open issues and current trends in GAN-based RSs.

Information Retrieval,Machine Learning

Yashar Deldjoo,Tommaso Di Noia,Felice Antonio Merra

DOI: https://doi.org/10.48550/arXiv.2005.10322

2020-11-10

Abstract:Latent-factor models (LFM) based on collaborative filtering (CF), such as matrix factorization (MF) and deep CF methods, are widely used in modern recommender systems (RS) due to their excellent performance and recommendation accuracy. However, success has been accompanied with a major new arising challenge: many applications of machine learning (ML) are adversarial in nature. In recent years, it has been shown that these methods are vulnerable to adversarial examples, i.e., subtle but non-random perturbations designed to force recommendation models to produce erroneous outputs. The goal of this survey is two-fold: (i) to present recent advances on adversarial machine learning (AML) for the security of RS (i.e., attacking and defense recommendation models), (ii) to show another successful application of AML in generative adversarial networks (GANs) for generative applications, thanks to their ability for learning (high-dimensional) data distributions. In this survey, we provide an exhaustive literature review of 74 articles published in major RS and ML journals and conferences. This review serves as a reference for the RS community, working on the security of RS or on generative models using GANs to improve their quality.

Information Retrieval,Cryptography and Security,Machine Learning,Multimedia

Chengzhi Huang,Hui Li

2023-08-21

Abstract:Recommendation systems (RS) are crucial for alleviating the information overload problem. Due to its pivotal role in guiding users to make decisions, unscrupulous parties are lured to launch attacks against RS to affect the decisions of normal users and gain illegal profits. Among various types of attacks, shilling attack is one of the most subsistent and profitable attacks. In shilling attack, an adversarial party injects a number of well-designed fake user profiles into the system to mislead RS so that the attack goal can be achieved. Although existing shilling attack methods have achieved promising results, they all adopt the attack paradigm of multi-user injection, where some fake user profiles are required. This paper provides the first study of shilling attack in an extremely limited scenario: only one fake user profile is injected into the victim RS to launch shilling attacks (i.e., single-user injection). We propose a novel single-user injection method SUI-Attack for invisible shilling attack. SUI-Attack is a graph based attack method that models shilling attack as a node generation task over the user-item bipartite graph of the victim RS, and it constructs the fake user profile by generating user features and edges that link the fake user to items. Extensive experiments demonstrate that SUI-Attack can achieve promising attack results in single-user injection. In addition to its attack power, SUI-Attack increases the stealthiness of shilling attack and reduces the risk of being detected. We provide our implementation at: <a class="link-external link-https" href="https://github.com/KDEGroup/SUI-Attack" rel="external noopener nofollow">this https URL</a>.

Information Retrieval,Cryptography and Security

Jesús Bobadilla,Abraham Gutiérrez

DOI: https://doi.org/10.1007/s10489-024-05313-4

IF: 5.3

2024-02-18

Applied Intelligence

Abstract:Currently, generative applications are reshaping different fields, such as art, computer vision, speech processing, and natural language. The computer science personalization area is increasingly relevant since large companies such as Spotify, Netflix, TripAdvisor, Amazon, and Google use recommender systems. Then, it is rational to expect that generative learning will increasingly be used to improve current recommender systems. In this paper, a method is proposed to generate synthetic recommender system datasets that can be used to test the recommendation performance and accuracy of a company on different simulated scenarios, such as large increases in their dataset sizes, number of users, or number of items. Specifically, an improvement in the state-of-the-art method is proposed by applying the Wasserstein concept to the generative adversarial network for recommender systems (GANRS) seminal method to generate synthetic datasets. The results show that our proposed method reduces the mode collapse, increases the sizes of the synthetic datasets, improves their ratings distributions, and maintains the potential to choose the desired number of users, number of items, and starting size of the dataset. Both the baseline GANRS and the proposed Wasserstein-based WGANRS deep learning architectures generate fake profiles from dense, short, and continuous embeddings in the latent space instead of the sparse, large, and discrete raw samples that previous GAN models used as a source. To enable reproducibility, the Python and Keras codes are provided in open repositories along with the synthetic datasets generated to test the proposed architecture (https://github.com/jesusbobadilla/ganrs.git).

computer science, artificial intelligence

Chaowei Xiao,Bo Li,Jun-yan Zhu,Warren He,Mingyan Liu,Dawn Song

DOI: https://doi.org/10.24963/ijcai.2018/543

2018-07-01

Abstract:Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples resulting from adding small-magnitude perturbations to inputs. Such adversarial examples can mislead DNNs to produce adversary-selected results. Different attack strategies have been proposed to generate adversarial examples, but how to produce them with high perceptual quality and more efficiently requires more research efforts. In this paper, we propose AdvGAN to generate adversarial exam- ples with generative adversarial networks (GANs), which can learn and approximate the distribution of original instances. For AdvGAN, once the generator is trained, it can generate perturbations efficiently for any instance, so as to potentially accelerate adversarial training as defenses. We apply Adv- GAN in both semi-whitebox and black-box attack settings. In semi-whitebox attacks, there is no need to access the original target model after the generator is trained, in contrast to traditional white-box attacks. In black-box attacks, we dynamically train a distilled model for the black-box model and optimize the generator accordingly. Adversarial examples generated by AdvGAN on different target models have high attack success rate under state-of-the-art defenses compared to other attacks. Our attack has placed the first with 92.76% accuracy on a public MNIST black-box attack challenge.

Wenqi Fan,Xiangyu Zhao,Qing Li,Tyler Derr,Yao Ma,Hui Liu,Jianping Wang,Jiliang Tang

DOI: https://doi.org/10.1109/tkde.2023.3272652

IF: 9.235

2023-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:As widely used in data-driven decision-making, recommender systems have been recognized for their capabilities to provide users with personalized services in many user-oriented online services, such as E-commerce (e.g., Amazon, Taobao, etc.) and Social Media sites (e.g., Facebook and Twitter). Recent works have shown that deep neural networks-based recommender systems are highly vulnerable to adversarial attacks, where adversaries can inject carefully crafted fake user profiles (i.e., a set of items that fake users have interacted with) into a target recommender system to promote or demote a set of target items. Instead of generating users with fake profiles from scratch, in this paper, we introduce a novel strategy to obtain “fake” user profiles via copying cross-domain user profiles, where a reinforcement learning based black-box attacking framework (CopyAttack+) is developed to effectively and efficiently select cross-domain user profiles from the source domain to attack the target system. Moreover, we propose to train a local surrogate system for mimicking adversarial black-box attacks in the source domain, so as to provide transferable signals with the purpose of enhancing the attacking strategy in the target black-box recommender system. Comprehensive experiments on three real-world datasets are conducted to demonstrate the effectiveness of the proposed attacking framework.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Caiyun Xie,Dengpan Ye,Yunming Zhang,Long Tang,Yunna Lv,Jiacheng Deng,Jiawei Song

2024-12-10

Abstract:The security of AI-generated content (AIGC) detection based on GANs and diffusion models is closely related to the credibility of multimedia content. Malicious adversarial attacks can evade these developing AIGC detection. However, most existing adversarial attacks focus only on GAN-generated facial images detection, struggle to be effective on multi-class natural images and diffusion-based detectors, and exhibit poor invisibility. To fill this gap, we first conduct an in-depth analysis of the vulnerability of AIGC detectors and discover the feature that detectors vary in vulnerability to different post-processing. Then, considering the uncertainty of detectors in real-world scenarios, and based on the discovery, we propose a Realistic-like Robust Black-box Adversarial attack (R$^2$BA) with post-processing fusion optimization. Unlike typical perturbations, R$^2$BA uses real-world post-processing, i.e., Gaussian blur, JPEG compression, Gaussian noise and light spot to generate adversarial examples. Specifically, we use a stochastic particle swarm algorithm with inertia decay to optimize post-processing fusion intensity and explore the detector's decision boundary. Guided by the detector's fake probability, R$^2$BA enhances/weakens the detector-vulnerable/detector-robust post-processing intensity to strike a balance between adversariality and invisibility. Extensive experiments on popular/commercial AIGC detectors and datasets demonstrate that R$^2$BA exhibits impressive anti-detection performance, excellent invisibility, and strong robustness in GAN-based and diffusion-based cases. Compared to state-of-the-art white-box and black-box attacks, R$^2$BA shows significant improvements of 15% and 21% in anti-detection performance under the original and robust scenario respectively, offering valuable insights for the security of AIGC detection in real-world applications.

Computer Vision and Pattern Recognition