RamBoAttack: A Robust Query Efficient Deep Neural Network Decision
Exploit
- URL: http://arxiv.org/abs/2112.05282v3
- Date: Fri, 24 Mar 2023 02:16:07 GMT
- Title: RamBoAttack: A Robust Query Efficient Deep Neural Network Decision
Exploit
- Authors: Viet Quoc Vo and Ehsan Abbasnejad and Damith C. Ranasinghe
- Abstract summary: We develop a robust query efficient attack capable of avoiding entrapment in a local minimum and misdirection from noisy gradients.
The RamBoAttack is more robust to the different sample inputs available to an adversary and the targeted class.
- Score: 9.93052896330371
- License: http://creativecommons.org/licenses/by-nc-nd/4.0/
- Abstract: Machine learning models are critically susceptible to evasion attacks from
adversarial examples. Generally, adversarial examples, modified inputs
deceptively similar to the original input, are constructed under whitebox
settings by adversaries with full access to the model. However, recent attacks
have shown a remarkable reduction in query numbers to craft adversarial
examples using blackbox attacks. Particularly, alarming is the ability to
exploit the classification decision from the access interface of a trained
model provided by a growing number of Machine Learning as a Service providers
including Google, Microsoft, IBM and used by a plethora of applications
incorporating these models. The ability of an adversary to exploit only the
predicted label from a model to craft adversarial examples is distinguished as
a decision-based attack. In our study, we first deep dive into recent
state-of-the-art decision-based attacks in ICLR and SP to highlight the costly
nature of discovering low distortion adversarial employing gradient estimation
methods. We develop a robust query efficient attack capable of avoiding
entrapment in a local minimum and misdirection from noisy gradients seen in
gradient estimation methods. The attack method we propose, RamBoAttack,
exploits the notion of Randomized Block Coordinate Descent to explore the
hidden classifier manifold, targeting perturbations to manipulate only
localized input features to address the issues of gradient estimation methods.
Importantly, the RamBoAttack is more robust to the different sample inputs
available to an adversary and the targeted class. Overall, for a given target
class, RamBoAttack is demonstrated to be more robust at achieving a lower
distortion within a given query budget. We curate our extensive results using
the large-scale high-resolution ImageNet dataset and open-source our attack,
test samples and artifacts on GitHub.
Related papers
- AdvQDet: Detecting Query-Based Adversarial Attacks with Adversarial Contrastive Prompt Tuning [93.77763753231338]
Adversarial Contrastive Prompt Tuning (ACPT) is proposed to fine-tune the CLIP image encoder to extract similar embeddings for any two intermediate adversarial queries.
We show that ACPT can detect 7 state-of-the-art query-based attacks with $>99%$ detection rate within 5 shots.
We also show that ACPT is robust to 3 types of adaptive attacks.
arXiv Detail & Related papers (2024-08-04T09:53:50Z) - BruSLeAttack: A Query-Efficient Score-Based Black-Box Sparse Adversarial Attack [22.408968332454062]
We study the unique, less-well understood problem of generating sparse adversarial samples simply by observing the score-based replies to model queries.
We develop the BruSLeAttack-a new, faster (more query-efficient) algorithm for the problem.
Our work facilitates faster evaluation of model vulnerabilities and raises our vigilance on the safety, security and reliability of deployed systems.
arXiv Detail & Related papers (2024-04-08T08:59:26Z) - Defense Against Model Extraction Attacks on Recommender Systems [53.127820987326295]
We introduce Gradient-based Ranking Optimization (GRO) to defend against model extraction attacks on recommender systems.
GRO aims to minimize the loss of the protected target model while maximizing the loss of the attacker's surrogate model.
Results show GRO's superior effectiveness in defending against model extraction attacks.
arXiv Detail & Related papers (2023-10-25T03:30:42Z) - Unrestricted Black-box Adversarial Attack Using GAN with Limited Queries [1.7205106391379026]
We present a novel method for generating unrestricted adversarial examples using GAN.
Our method, Latent-HSJA, efficiently leverages the advantages of a decision-based attack in the latent space.
We demonstrate that our proposed method is efficient in evaluating the robustness of classification models with limited queries in a black-box setting.
arXiv Detail & Related papers (2022-08-24T15:28:46Z) - Towards A Conceptually Simple Defensive Approach for Few-shot
classifiers Against Adversarial Support Samples [107.38834819682315]
We study a conceptually simple approach to defend few-shot classifiers against adversarial attacks.
We propose a simple attack-agnostic detection method, using the concept of self-similarity and filtering.
Our evaluation on the miniImagenet (MI) and CUB datasets exhibit good attack detection performance.
arXiv Detail & Related papers (2021-10-24T05:46:03Z) - Discriminator-Free Generative Adversarial Attack [87.71852388383242]
Agenerative-based adversarial attacks can get rid of this limitation.
ASymmetric Saliency-based Auto-Encoder (SSAE) generates the perturbations.
The adversarial examples generated by SSAE not only make thewidely-used models collapse, but also achieves good visual quality.
arXiv Detail & Related papers (2021-07-20T01:55:21Z) - Automated Decision-based Adversarial Attacks [48.01183253407982]
We consider the practical and challenging decision-based black-box adversarial setting.
Under this setting, the attacker can only acquire the final classification labels by querying the target model.
We propose to automatically discover decision-based adversarial attack algorithms.
arXiv Detail & Related papers (2021-05-09T13:15:10Z) - ExAD: An Ensemble Approach for Explanation-based Adversarial Detection [17.455233006559734]
We propose ExAD, a framework to detect adversarial examples using an ensemble of explanation techniques.
We evaluate our approach using six state-of-the-art adversarial attacks on three image datasets.
arXiv Detail & Related papers (2021-03-22T00:53:07Z) - Detection of Adversarial Supports in Few-shot Classifiers Using Feature
Preserving Autoencoders and Self-Similarity [89.26308254637702]
We propose a detection strategy to highlight adversarial support sets.
We make use of feature preserving autoencoder filtering and also the concept of self-similarity of a support set to perform this detection.
Our method is attack-agnostic and also the first to explore detection for few-shot classifiers to the best of our knowledge.
arXiv Detail & Related papers (2020-12-09T14:13:41Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.