BO-DBA: Query-Efficient Decision-Based Adversarial Attacks via Bayesian
Optimization
- URL: http://arxiv.org/abs/2106.02732v1
- Date: Fri, 4 Jun 2021 21:46:37 GMT
- Title: BO-DBA: Query-Efficient Decision-Based Adversarial Attacks via Bayesian
Optimization
- Authors: Zhuosheng Zhang, Shucheng Yu
- Abstract summary: Decision-based attacks (DBA)perturb inputs to spoof learning algorithms by observing solely the output labels.
BO-DBA generates adversarial examples by searching so-called emphdirections of perturbations.
It then formulates the problem as a BO problem that minimizes the real-valued distortion of perturbations.
- Score: 8.028900651913148
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Decision-based attacks (DBA), wherein attackers perturb inputs to spoof
learning algorithms by observing solely the output labels, are a type of severe
adversarial attacks against Deep Neural Networks (DNNs) requiring minimal
knowledge of attackers. State-of-the-art DBA attacks relying on zeroth-order
gradient estimation require an excessive number of queries. Recently, Bayesian
optimization (BO) has shown promising in reducing the number of queries in
score-based attacks (SBA), in which attackers need to observe real-valued
probability scores as outputs. However, extending BO to the setting of DBA is
nontrivial because in DBA only output labels instead of real-valued scores, as
needed by BO, are available to attackers. In this paper, we close this gap by
proposing an efficient DBA attack, namely BO-DBA. Different from existing
approaches, BO-DBA generates adversarial examples by searching so-called
\emph{directions of perturbations}. It then formulates the problem as a BO
problem that minimizes the real-valued distortion of perturbations. With the
optimized perturbation generation process, BO-DBA converges much faster than
the state-of-the-art DBA techniques. Experimental results on pre-trained
ImageNet classifiers show that BO-DBA converges within 200 queries while the
state-of-the-art DBA techniques need over 15,000 queries to achieve the same
level of perturbation distortion. BO-DBA also shows similar attack success
rates even as compared to BO-based SBA attacks but with less distortion.
Related papers
- ADBA:Approximation Decision Boundary Approach for Black-Box Adversarial Attacks [6.253823500300899]
Black-box attacks are stealthy, generating adversarial examples using hard labels from machine learning models.
This paper introduces a novel approach using the Approximation Decision Boundary (ADB) to efficiently and accurately compare perturbation directions.
The effectiveness of our ADB approach (ADBA) hinges on promptly identifying suitable ADB, ensuring reliable differentiation of all perturbation directions.
arXiv Detail & Related papers (2024-06-07T15:09:25Z) - Advancing Generalized Transfer Attack with Initialization Derived Bilevel Optimization and Dynamic Sequence Truncation [49.480978190805125]
Transfer attacks generate significant interest for black-box applications.
Existing works essentially directly optimize the single-level objective w.r.t. surrogate model.
We propose a bilevel optimization paradigm, which explicitly reforms the nested relationship between the Upper-Level (UL) pseudo-victim attacker and the Lower-Level (LL) surrogate attacker.
arXiv Detail & Related papers (2024-06-04T07:45:27Z) - Direct Diffusion Bridge using Data Consistency for Inverse Problems [65.04689839117692]
Diffusion model-based inverse problem solvers have shown impressive performance, but are limited in speed.
Several recent works have tried to alleviate this problem by building a diffusion process, directly bridging the clean and the corrupted.
We propose a modified inference procedure that imposes data consistency without the need for fine-tuning.
arXiv Detail & Related papers (2023-05-31T12:51:10Z) - A Large-scale Multiple-objective Method for Black-box Attack against
Object Detection [70.00150794625053]
We propose to minimize the true positive rate and maximize the false positive rate, which can encourage more false positive objects to block the generation of new true positive bounding boxes.
We extend the standard Genetic Algorithm with Random Subset selection and Divide-and-Conquer, called GARSDC, which significantly improves the efficiency.
Compared with the state-of-art attack methods, GARSDC decreases by an average 12.0 in the mAP and queries by about 1000 times in extensive experiments.
arXiv Detail & Related papers (2022-09-16T08:36:42Z) - BOBA: Byzantine-Robust Federated Learning with Label Skewness [39.75185862573534]
In federated learning, most existing robust aggregation rules (AGRs) combat Byzantine attacks in the IID setting.
We address label skewness, a more realistic and challenging non-IID setting, where each client only has access to a few classes of data.
In this setting, state-of-the-art AGRs suffer from selection bias, leading to significant performance drop for particular classes.
We propose an efficient two-stage method named BOBA to address these limitations.
arXiv Detail & Related papers (2022-08-27T05:54:43Z) - Versatile Weight Attack via Flipping Limited Bits [68.45224286690932]
We study a novel attack paradigm, which modifies model parameters in the deployment stage.
Considering the effectiveness and stealthiness goals, we provide a general formulation to perform the bit-flip based weight attack.
We present two cases of the general formulation with different malicious purposes, i.e., single sample attack (SSA) and triggered samples attack (TSA)
arXiv Detail & Related papers (2022-07-25T03:24:58Z) - Adversarial Unlearning of Backdoors via Implicit Hypergradient [13.496838121707754]
We propose a minimax formulation for removing backdoors from a poisoned model based on a small set of clean data.
We use the Implicit Bacdoor Adversarial Unlearning (I-BAU) algorithm to solve the minimax.
I-BAU's performance is comparable to and most often significantly better than the best baseline.
arXiv Detail & Related papers (2021-10-07T18:32:54Z) - An Improved BAT Algorithm for Solving Job Scheduling Problems in Hotels
and Restaurants [12.641474799416772]
The Bat algorithm (BA) is a popular example of metaheuristic algorithms from the swarm intelligence family.
In this paper, an improvement on the original BA has been made to speed up convergence and make the method more practical for large applications.
The modified BA was applied to solve a real-world job scheduling problem in hotels and restaurants.
arXiv Detail & Related papers (2021-07-25T09:46:52Z) - Targeted Attack against Deep Neural Networks via Flipping Limited Weight
Bits [55.740716446995805]
We study a novel attack paradigm, which modifies model parameters in the deployment stage for malicious purposes.
Our goal is to misclassify a specific sample into a target class without any sample modification.
By utilizing the latest technique in integer programming, we equivalently reformulate this BIP problem as a continuous optimization problem.
arXiv Detail & Related papers (2021-02-21T03:13:27Z) - Composite Adversarial Attacks [57.293211764569996]
Adversarial attack is a technique for deceiving Machine Learning (ML) models.
In this paper, a new procedure called Composite Adrial Attack (CAA) is proposed for automatically searching the best combination of attack algorithms.
CAA beats 10 top attackers on 11 diverse defenses with less elapsed time.
arXiv Detail & Related papers (2020-12-10T03:21:16Z) - QEBA: Query-Efficient Boundary-Based Blackbox Attack [27.740081902519517]
We propose a Query-Efficient Boundary-based blackbox Attack (QEBA) based only on model's final prediction labels.
We show that compared with the state-of-the-art blackbox attacks, QEBA is able to use a smaller number of queries to achieve a lower magnitude of perturbation with 100% attack success rate.
arXiv Detail & Related papers (2020-05-28T16:41:12Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.