Query complexity of adversarial attacks

• URL: http://arxiv.org/abs/2010.01039v2
• Date: Wed, 10 Feb 2021 14:38:56 GMT
• Title: Query complexity of adversarial attacks
• Authors: Grzegorz G{\l}uch, R\"udiger Urbanke
• Abstract summary: Two main attack models are considered in the adversarial literature: black-box and white-box. We consider these threat models as two ends of a fine-grained spectrum, indexed by the number of queries the adversary can ask. We investigate how many queries the adversary needs to make to design an attack that is comparable to the best possible attack in the white-box model.
• Score: 4.873362301533825
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: There are two main attack models considered in the adversarial robustness literature: black-box and white-box. We consider these threat models as two ends of a fine-grained spectrum, indexed by the number of queries the adversary can ask. Using this point of view we investigate how many queries the adversary needs to make to design an attack that is comparable to the best possible attack in the white-box model. We give a lower bound on that number of queries in terms of entropy of decision boundaries of the classifier. Using this result we analyze two classical learning algorithms on two synthetic tasks for which we prove meaningful security guarantees. The obtained bounds suggest that some learning algorithms are inherently more robust against query-bounded adversaries than others.

Related papers

• AdvQDet: Detecting Query-Based Adversarial Attacks with Adversarial Contrastive Prompt Tuning [93.77763753231338]
  Adversarial Contrastive Prompt Tuning (ACPT) is proposed to fine-tune the CLIP image encoder to extract similar embeddings for any two intermediate adversarial queries. We show that ACPT can detect 7 state-of-the-art query-based attacks with $>99%$ detection rate within 5 shots. We also show that ACPT is robust to 3 types of adaptive attacks.
  arXiv  Detail & Related papers  (2024-08-04T09:53:50Z)
• BruSLeAttack: A Query-Efficient Score-Based Black-Box Sparse Adversarial Attack [22.408968332454062]
  We study the unique, less-well understood problem of generating sparse adversarial samples simply by observing the score-based replies to model queries. We develop the BruSLeAttack-a new, faster (more query-efficient) algorithm for the problem. Our work facilitates faster evaluation of model vulnerabilities and raises our vigilance on the safety, security and reliability of deployed systems.
  arXiv  Detail & Related papers  (2024-04-08T08:59:26Z)
• On Evaluating the Adversarial Robustness of Semantic Segmentation Models [0.0]
  A number of adversarial training approaches have been proposed as a defense against adversarial perturbation. We show for the first time that a number of models in previous work that are claimed to be robust are in fact not robust at all. We then evaluate simple adversarial training algorithms that produce reasonably robust models even under our set of strong attacks.
  arXiv  Detail & Related papers  (2023-06-25T11:45:08Z)
• Among Us: Adversarially Robust Collaborative Perception by Consensus [50.73128191202585]
  Multiple robots could perceive a scene (e.g., detect objects) collaboratively better than individuals. We propose ROBOSAC, a novel sampling-based defense strategy generalizable to unseen attackers. We validate our method on the task of collaborative 3D object detection in autonomous driving scenarios.
  arXiv  Detail & Related papers  (2023-03-16T17:15:25Z)
• Zero-Query Transfer Attacks on Context-Aware Object Detectors [95.18656036716972]
  Adversarial attacks perturb images such that a deep neural network produces incorrect classification results. A promising approach to defend against adversarial attacks on natural multi-object scenes is to impose a context-consistency check. We present the first approach for generating context-consistent adversarial attacks that can evade the context-consistency check.
  arXiv  Detail & Related papers  (2022-03-29T04:33:06Z)
• Online Adversarial Attacks [57.448101834579624]
  We formalize the online adversarial attack problem, emphasizing two key elements found in real-world use-cases. We first rigorously analyze a deterministic variant of the online threat model. We then propose algoname, a simple yet practical algorithm yielding a provably better competitive ratio for $k=2$ over the current best single threshold algorithm.
  arXiv  Detail & Related papers  (2021-03-02T20:36:04Z)
• Explain2Attack: Text Adversarial Attacks via Cross-Domain Interpretability [18.92690624514601]
  Research has shown that down-stream models can be easily fooled with adversarial inputs that look like the training data, but slightly perturbed, in a way imperceptible to humans. In this paper, we propose Explain2Attack, a black-box adversarial attack on text classification task. We show that our framework either achieves or out-performs attack rates of the state-of-the-art models, yet with lower queries cost and higher efficiency.
  arXiv  Detail & Related papers  (2020-10-14T04:56:41Z)
• A black-box adversarial attack for poisoning clustering [78.19784577498031]
  We propose a black-box adversarial attack for crafting adversarial samples to test the robustness of clustering algorithms. We show that our attacks are transferable even against supervised algorithms such as SVMs, random forests, and neural networks.
  arXiv  Detail & Related papers  (2020-09-09T18:19:31Z)
• Differentiable Language Model Adversarial Attacks on Categorical Sequence Classifiers [0.0]
  An adversarial attack paradigm explores various scenarios for the vulnerability of deep learning models. We use a fine-tuning of a language model for adversarial attacks as a generator of adversarial examples. Our model works for diverse datasets on bank transactions, electronic health records, and NLP datasets.
  arXiv  Detail & Related papers  (2020-06-19T11:25:36Z)
• Defensive Few-shot Learning [77.82113573388133]
  This paper investigates a new challenging problem called defensive few-shot learning. It aims to learn a robust few-shot model against adversarial attacks. The proposed framework can effectively make the existing few-shot models robust against adversarial attacks.
  arXiv  Detail & Related papers  (2019-11-16T05:57:16Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.