AdvFlow: Inconspicuous Black-box Adversarial Attacks using Normalizing Flows

• URL: http://arxiv.org/abs/2007.07435v2
• Date: Fri, 23 Oct 2020 00:36:25 GMT
• Title: AdvFlow: Inconspicuous Black-box Adversarial Attacks using Normalizing Flows
• Authors: Hadi M. Dolatabadi, Sarah Erfani, Christopher Leckie
• Abstract summary: We introduce AdvFlow: a novel black-box adversarial attack method on image classifiers. We see that the proposed method generates adversaries that closely follow the clean data distribution, a property which makes their detection less likely.
• Score: 11.510009152620666
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Deep learning classifiers are susceptible to well-crafted, imperceptible variations of their inputs, known as adversarial attacks. In this regard, the study of powerful attack models sheds light on the sources of vulnerability in these classifiers, hopefully leading to more robust ones. In this paper, we introduce AdvFlow: a novel black-box adversarial attack method on image classifiers that exploits the power of normalizing flows to model the density of adversarial examples around a given target image. We see that the proposed method generates adversaries that closely follow the clean data distribution, a property which makes their detection less likely. Also, our experimental results show competitive performance of the proposed approach with some of the existing attack methods on defended classifiers. The code is available at https://github.com/hmdolatabadi/AdvFlow.

Related papers

• Breaking Free: How to Hack Safety Guardrails in Black-Box Diffusion Models! [52.0855711767075]
  EvoSeed is an evolutionary strategy-based algorithmic framework for generating photo-realistic natural adversarial samples. We employ CMA-ES to optimize the search for an initial seed vector, which, when processed by the Conditional Diffusion Model, results in the natural adversarial sample misclassified by the Model. Experiments show that generated adversarial images are of high image quality, raising concerns about generating harmful content bypassing safety classifiers.
  arXiv  Detail & Related papers  (2024-02-07T09:39:29Z)
• Diffusion Models for Adversarial Purification [69.1882221038846]
  Adrial purification refers to a class of defense methods that remove adversarial perturbations using a generative model. We propose DiffPure that uses diffusion models for adversarial purification. Our method achieves the state-of-the-art results, outperforming current adversarial training and adversarial purification methods.
  arXiv  Detail & Related papers  (2022-05-16T06:03:00Z)
• RamBoAttack: A Robust Query Efficient Deep Neural Network Decision Exploit [9.93052896330371]
  We develop a robust query efficient attack capable of avoiding entrapment in a local minimum and misdirection from noisy gradients. The RamBoAttack is more robust to the different sample inputs available to an adversary and the targeted class.
  arXiv  Detail & Related papers  (2021-12-10T01:25:24Z)
• Towards A Conceptually Simple Defensive Approach for Few-shot classifiers Against Adversarial Support Samples [107.38834819682315]
  We study a conceptually simple approach to defend few-shot classifiers against adversarial attacks. We propose a simple attack-agnostic detection method, using the concept of self-similarity and filtering. Our evaluation on the miniImagenet (MI) and CUB datasets exhibit good attack detection performance.
  arXiv  Detail & Related papers  (2021-10-24T05:46:03Z)
• IoU Attack: Towards Temporally Coherent Black-Box Adversarial Attack for Visual Object Tracking [70.14487738649373]
  Adrial attack arises due to the vulnerability of deep neural networks to perceive input samples injected with imperceptible perturbations. We propose a decision-based black-box attack method for visual object tracking. We validate the proposed IoU attack on state-of-the-art deep trackers.
  arXiv  Detail & Related papers  (2021-03-27T16:20:32Z)
• Poisoned classifiers are not only backdoored, they are fundamentally broken [84.67778403778442]
  Under a commonly-studied backdoor poisoning attack against classification models, an attacker adds a small trigger to a subset of the training data. It is often assumed that the poisoned classifier is vulnerable exclusively to the adversary who possesses the trigger. In this paper, we show empirically that this view of backdoored classifiers is incorrect.
  arXiv  Detail & Related papers  (2020-10-18T19:42:44Z)
• Anomaly Detection-Based Unknown Face Presentation Attack Detection [74.4918294453537]
  Anomaly detection-based spoof attack detection is a recent development in face Presentation Attack Detection. In this paper, we present a deep-learning solution for anomaly detection-based spoof attack detection. The proposed approach benefits from the representation learning power of the CNNs and learns better features for fPAD task.
  arXiv  Detail & Related papers  (2020-07-11T21:20:55Z)
• Black-box Adversarial Example Generation with Normalizing Flows [11.510009152620666]
  We propose a novel black-box adversarial attack using normalizing flows. We show how an adversary can be found by searching over a pre-trained flow-based model base distribution.
  arXiv  Detail & Related papers  (2020-07-06T13:14:21Z)
• Adversarial Feature Desensitization [12.401175943131268]
  We propose a novel approach to adversarial robustness, which builds upon the insights from the domain adaptation field. Our method, called Adversarial Feature Desensitization (AFD), aims at learning features that are invariant towards adversarial perturbations of the inputs.
  arXiv  Detail & Related papers  (2020-06-08T14:20:02Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.