PopSkipJump: Decision-Based Attack for Probabilistic Classifiers

• URL: http://arxiv.org/abs/2106.07445v1
• Date: Mon, 14 Jun 2021 14:13:12 GMT
• Title: PopSkipJump: Decision-Based Attack for Probabilistic Classifiers
• Authors: Carl-Johann Simon-Gabriel and Noman Ahmed Sheikh and Andreas Krause
• Abstract summary: P(robabilisticH)opSkipJump adapts its amount of queries to maintain HopSkipJump's original output quality across various noise levels. We show that off-the-shelf randomized defenses offer almost no extra robustness to decision-based attacks.
• Score: 43.62922682676909
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Most current classifiers are vulnerable to adversarial examples, small input perturbations that change the classification output. Many existing attack algorithms cover various settings, from white-box to black-box classifiers, but typically assume that the answers are deterministic and often fail when they are not. We therefore propose a new adversarial decision-based attack specifically designed for classifiers with probabilistic outputs. It is based on the HopSkipJump attack by Chen et al. (2019, arXiv:1904.02144v5 ), a strong and query efficient decision-based attack originally designed for deterministic classifiers. Our P(robabilisticH)opSkipJump attack adapts its amount of queries to maintain HopSkipJump's original output quality across various noise levels, while converging to its query efficiency as the noise level decreases. We test our attack on various noise models, including state-of-the-art off-the-shelf randomized defenses, and show that they offer almost no extra robustness to decision-based attacks. Code is available at https://github.com/cjsg/PopSkipJump .

Related papers

• On the Role of Randomization in Adversarially Robust Classification [13.39932522722395]
  We show that a randomized ensemble outperforms the hypothesis set in adversarial risk. We also give an explicit description of the deterministic hypothesis set that contains such a deterministic classifier.
  arXiv  Detail & Related papers  (2023-02-14T17:51:00Z)
• Zero-Query Transfer Attacks on Context-Aware Object Detectors [95.18656036716972]
  Adversarial attacks perturb images such that a deep neural network produces incorrect classification results. A promising approach to defend against adversarial attacks on natural multi-object scenes is to impose a context-consistency check. We present the first approach for generating context-consistent adversarial attacks that can evade the context-consistency check.
  arXiv  Detail & Related papers  (2022-03-29T04:33:06Z)
• Post-Training Detection of Backdoor Attacks for Two-Class and Multi-Attack Scenarios [22.22337220509128]
  Backdoor attacks (BAs) are an emerging threat to deep neural network classifiers. We propose a detection framework based on BP reverse-engineering and a novel it expected transferability (ET) statistic.
  arXiv  Detail & Related papers  (2022-01-20T22:21:38Z)
• Towards A Conceptually Simple Defensive Approach for Few-shot classifiers Against Adversarial Support Samples [107.38834819682315]
  We study a conceptually simple approach to defend few-shot classifiers against adversarial attacks. We propose a simple attack-agnostic detection method, using the concept of self-similarity and filtering. Our evaluation on the miniImagenet (MI) and CUB datasets exhibit good attack detection performance.
  arXiv  Detail & Related papers  (2021-10-24T05:46:03Z)
• Prototypical Classifier for Robust Class-Imbalanced Learning [64.96088324684683]
  We propose textitPrototypical, which does not require fitting additional parameters given the embedding network. Prototypical produces balanced and comparable predictions for all classes even though the training set is class-imbalanced. We test our method on CIFAR-10LT, CIFAR-100LT and Webvision datasets, observing that Prototypical obtains substaintial improvements compared with state of the arts.
  arXiv  Detail & Related papers  (2021-10-22T01:55:01Z)
• Composite Adversarial Attacks [57.293211764569996]
  Adversarial attack is a technique for deceiving Machine Learning (ML) models. In this paper, a new procedure called Composite Adrial Attack (CAA) is proposed for automatically searching the best combination of attack algorithms. CAA beats 10 top attackers on 11 diverse defenses with less elapsed time.
  arXiv  Detail & Related papers  (2020-12-10T03:21:16Z)
• Robustness Verification for Classifier Ensembles [3.5884936187733394]
  robustness-checking problem consists of assessing, given a set of classifiers and a labelled data set, whether there exists a randomized attack. We show the NP-hardness of the problem and provide an upper bound on the number of attacks that is sufficient to form an optimal randomized attack. Our prototype implementation verifies multiple neural-network ensembles trained for image-classification tasks.
  arXiv  Detail & Related papers  (2020-05-12T07:38:43Z)
• Randomization matters. How to defend against strong adversarial attacks [17.438104235331085]
  We show that adversarial attacks and defenses form an infinite zero-sum game where classical results do not apply. We show that our defense method considerably outperforms Adversarial Training against state-of-the-art attacks.
  arXiv  Detail & Related papers  (2020-02-26T15:31:31Z)
• Certified Robustness to Label-Flipping Attacks via Randomized Smoothing [105.91827623768724]
  Machine learning algorithms are susceptible to data poisoning attacks. We present a unifying view of randomized smoothing over arbitrary functions. We propose a new strategy for building classifiers that are pointwise-certifiably robust to general data poisoning attacks.
  arXiv  Detail & Related papers  (2020-02-07T21:28:30Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.