Black-box Adversarial Example Generation with Normalizing Flows

• URL: http://arxiv.org/abs/2007.02734v1
• Date: Mon, 6 Jul 2020 13:14:21 GMT
• Title: Black-box Adversarial Example Generation with Normalizing Flows
• Authors: Hadi M. Dolatabadi, Sarah Erfani, Christopher Leckie
• Abstract summary: We propose a novel black-box adversarial attack using normalizing flows. We show how an adversary can be found by searching over a pre-trained flow-based model base distribution.
• Score: 11.510009152620666
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Deep neural network classifiers suffer from adversarial vulnerability: well-crafted, unnoticeable changes to the input data can affect the classifier decision. In this regard, the study of powerful adversarial attacks can help shed light on sources of this malicious behavior. In this paper, we propose a novel black-box adversarial attack using normalizing flows. We show how an adversary can be found by searching over a pre-trained flow-based model base distribution. This way, we can generate adversaries that resemble the original data closely as the perturbations are in the shape of the data. We then demonstrate the competitive performance of the proposed approach against well-known black-box adversarial attack methods.

Related papers

• Understanding the Robustness of Randomized Feature Defense Against Query-Based Adversarial Attacks [23.010308600769545]
  Deep neural networks are vulnerable to adversarial examples that find samples close to the original image but can make the model misclassify. We propose a simple and lightweight defense against black-box attacks by adding random noise to hidden features at intermediate layers of the model at inference time. Our method effectively enhances the model's resilience against both score-based and decision-based black-box attacks.
  arXiv  Detail & Related papers  (2023-10-01T03:53:23Z)
• Generalizable Black-Box Adversarial Attack with Meta Learning [54.196613395045595]
  In black-box adversarial attack, the target model's parameters are unknown, and the attacker aims to find a successful perturbation based on query feedback under a query budget. We propose to utilize the feedback information across historical attacks, dubbed example-level adversarial transferability. The proposed framework with the two types of adversarial transferability can be naturally combined with any off-the-shelf query-based attack methods to boost their performance.
  arXiv  Detail & Related papers  (2023-01-01T07:24:12Z)
• Query Efficient Cross-Dataset Transferable Black-Box Attack on Action Recognition [99.29804193431823]
  Black-box adversarial attacks present a realistic threat to action recognition systems. We propose a new attack on action recognition that addresses these shortcomings by generating perturbations. Our method achieves 8% and higher 12% deception rates compared to state-of-the-art query-based and transfer-based attacks.
  arXiv  Detail & Related papers  (2022-11-23T17:47:49Z)
• Adversarial Attacks are a Surprisingly Strong Baseline for Poisoning Few-Shot Meta-Learners [28.468089304148453]
  We attack amortized meta-learners, which allows us to craft colluding sets of inputs that fool the system's learning algorithm. We show that in a white box setting, these attacks are very successful and can cause the target model's predictions to become worse than chance. We explore two hypotheses to explain this: 'overfitting' by the attack, and mismatch between the model on which the attack is generated and that to which the attack is transferred.
  arXiv  Detail & Related papers  (2022-11-23T14:55:44Z)
• Understanding the Vulnerability of Skeleton-based Human Activity Recognition via Black-box Attack [53.032801921915436]
  Human Activity Recognition (HAR) has been employed in a wide range of applications, e.g. self-driving cars. Recently, the robustness of skeleton-based HAR methods have been questioned due to their vulnerability to adversarial attacks. We show such threats exist, even when the attacker only has access to the input/output of the model. We propose the very first black-box adversarial attack approach in skeleton-based HAR called BASAR.
  arXiv  Detail & Related papers  (2022-11-21T09:51:28Z)
• Modelling Adversarial Noise for Adversarial Defense [96.56200586800219]
  adversarial defenses typically focus on exploiting adversarial examples to remove adversarial noise or train an adversarially robust target model. Motivated by that the relationship between adversarial data and natural data can help infer clean data from adversarial data to obtain the final correct prediction. We study to model adversarial noise to learn the transition relationship in the label space for using adversarial labels to improve adversarial accuracy.
  arXiv  Detail & Related papers  (2021-09-21T01:13:26Z)
• Towards Defending against Adversarial Examples via Attack-Invariant Features [147.85346057241605]
  Deep neural networks (DNNs) are vulnerable to adversarial noise. adversarial robustness can be improved by exploiting adversarial examples. Models trained on seen types of adversarial examples generally cannot generalize well to unseen types of adversarial examples.
  arXiv  Detail & Related papers  (2021-06-09T12:49:54Z)
• Local Black-box Adversarial Attacks: A Query Efficient Approach [64.98246858117476]
  Adrial attacks have threatened the application of deep neural networks in security-sensitive scenarios. We propose a novel framework to perturb the discriminative areas of clean examples only within limited queries in black-box attacks. We conduct extensive experiments to show that our framework can significantly improve the query efficiency during black-box perturbing with a high attack success rate.
  arXiv  Detail & Related papers  (2021-01-04T15:32:16Z)
• AdvFlow: Inconspicuous Black-box Adversarial Attacks using Normalizing Flows [11.510009152620666]
  We introduce AdvFlow: a novel black-box adversarial attack method on image classifiers. We see that the proposed method generates adversaries that closely follow the clean data distribution, a property which makes their detection less likely.
  arXiv  Detail & Related papers  (2020-07-15T02:13:49Z)
• Adversarial Feature Desensitization [12.401175943131268]
  We propose a novel approach to adversarial robustness, which builds upon the insights from the domain adaptation field. Our method, called Adversarial Feature Desensitization (AFD), aims at learning features that are invariant towards adversarial perturbations of the inputs.
  arXiv  Detail & Related papers  (2020-06-08T14:20:02Z)
• Data-Free Adversarial Perturbations for Practical Black-Box Attack [25.44755251319056]
  We present a data-free method for crafting adversarial perturbations that can fool a target model without any knowledge about the training data distribution. Our method empirically shows that current deep learning models are still at risk even when the attackers do not have access to training data.
  arXiv  Detail & Related papers  (2020-03-03T02:22:12Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.