Related papers: Transfer Attacks Revisited: A Large-Scale Empirical Study in Real Computer Vision Settings

Transfer Attacks Revisited: A Large-Scale Empirical Study in Real Computer Vision Settings

URL: http://arxiv.org/abs/2204.04063v1
Date: Thu, 7 Apr 2022 12:16:24 GMT
Title: Transfer Attacks Revisited: A Large-Scale Empirical Study in Real Computer Vision Settings
Authors: Yuhao Mao, Chong Fu, Saizhuo Wang, Shouling Ji, Xuhong Zhang, Zhenguang Liu, Jun Zhou, Alex X. Liu, Raheem Beyah, Ting Wang
Abstract summary: We conduct the first systematic empirical study of transfer attacks against major cloud-based ML platforms. The study leads to a number of interesting findings which are inconsistent to the existing ones. We believe this work sheds light on the vulnerabilities of popular ML platforms and points to a few promising research directions.
Score: 64.37621685052571
License: http://creativecommons.org/licenses/by/4.0/
Abstract: One intriguing property of adversarial attacks is their "transferability" -- an adversarial example crafted with respect to one deep neural network (DNN) model is often found effective against other DNNs as well. Intensive research has been conducted on this phenomenon under simplistic controlled conditions. Yet, thus far, there is still a lack of comprehensive understanding about transferability-based attacks ("transfer attacks") in real-world environments. To bridge this critical gap, we conduct the first large-scale systematic empirical study of transfer attacks against major cloud-based MLaaS platforms, taking the components of a real transfer attack into account. The study leads to a number of interesting findings which are inconsistent to the existing ones, including: (1) Simple surrogates do not necessarily improve real transfer attacks. (2) No dominant surrogate architecture is found in real transfer attacks. (3) It is the gap between posterior (output of the softmax layer) rather than the gap between logit (so-called $\kappa$ value) that increases transferability. Moreover, by comparing with prior works, we demonstrate that transfer attacks possess many previously unknown properties in real-world environments, such as (1) Model similarity is not a well-defined concept. (2) $L_2$ norm of perturbation can generate high transferability without usage of gradient and is a more powerful source than $L_\infty$ norm. We believe this work sheds light on the vulnerabilities of popular MLaaS platforms and points to a few promising research directions.

Related papers

Advancing Generalized Transfer Attack with Initialization Derived Bilevel Optimization and Dynamic Sequence Truncation [49.480978190805125]
Transfer attacks generate significant interest for black-box applications. Existing works essentially directly optimize the single-level objective w.r.t. surrogate model. We propose a bilevel optimization paradigm, which explicitly reforms the nested relationship between the Upper-Level (UL) pseudo-victim attacker and the Lower-Level (LL) surrogate attacker.
arXiv Detail & Related papers (2024-06-04T07:45:27Z)
Explainable and Transferable Adversarial Attack for ML-Based Network Intrusion Detectors [24.1840740489442]
Machine learning (ML) has proven to be highly vulnerable to adversarial attacks. White-box and black-box adversarial attacks of NIDS have been explored in several studies. This paper introduces ETA, an Explainable Transfer-based Black-Box Adversarial Attack framework.
arXiv Detail & Related papers (2024-01-19T13:43:09Z)
Set-level Guidance Attack: Boosting Adversarial Transferability of Vision-Language Pre-training Models [52.530286579915284]
We present the first study to investigate the adversarial transferability of vision-language pre-training models. The transferability degradation is partly caused by the under-utilization of cross-modal interactions. We propose a highly transferable Set-level Guidance Attack (SGA) that thoroughly leverages modality interactions and incorporates alignment-preserving augmentation with cross-modal guidance.
arXiv Detail & Related papers (2023-07-26T09:19:21Z)
Common Knowledge Learning for Generating Transferable Adversarial Examples [60.1287733223249]
This paper focuses on an important type of black-box attacks, where the adversary generates adversarial examples by a substitute (source) model. Existing methods tend to give unsatisfactory adversarial transferability when the source and target models are from different types of DNN architectures. We propose a common knowledge learning (CKL) framework to learn better network weights to generate adversarial examples.
arXiv Detail & Related papers (2023-07-01T09:07:12Z)
Logit Margin Matters: Improving Transferable Targeted Adversarial Attack by Logit Calibration [85.71545080119026]
Cross-Entropy (CE) loss function is insufficient to learn transferable targeted adversarial examples. We propose two simple and effective logit calibration methods, which are achieved by downscaling the logits with a temperature factor and an adaptive margin. Experiments conducted on the ImageNet dataset validate the effectiveness of the proposed methods.
arXiv Detail & Related papers (2023-03-07T06:42:52Z)
Towards Transferable Unrestricted Adversarial Examples with Minimum Changes [13.75751221823941]
Transfer-based adversarial example is one of the most important classes of black-box attacks. There is a trade-off between transferability and imperceptibility of the adversarial perturbation. We propose a geometry-aware framework to generate transferable adversarial examples with minimum changes.
arXiv Detail & Related papers (2022-01-04T12:03:20Z)
Demystifying the Transferability of Adversarial Attacks in Computer Networks [23.80086861061094]
CNN-based models are subject to various adversarial attacks. Some adversarial examples could potentially still be effective against different unknown models. This paper assesses the robustness of CNN-based models against adversarial transferability.
arXiv Detail & Related papers (2021-10-09T07:20:44Z)
Going Far Boosts Attack Transferability, but Do Not Do It [16.901240544106948]
We investigate the impacts of optimization on attack transferability by comprehensive experiments concerning 7 optimization algorithms, 4 surrogates, and 9 black-box models. We surprisingly find that the varied transferability of AEs from optimization algorithms is strongly related to the Root Mean Square Error (RMSE) from their original samples. Although LARA significantly improves transferability by 20%, it is insufficient to exploit the vulnerability of DNNs.
arXiv Detail & Related papers (2021-02-20T13:19:31Z)
Local Black-box Adversarial Attacks: A Query Efficient Approach [64.98246858117476]
Adrial attacks have threatened the application of deep neural networks in security-sensitive scenarios. We propose a novel framework to perturb the discriminative areas of clean examples only within limited queries in black-box attacks. We conduct extensive experiments to show that our framework can significantly improve the query efficiency during black-box perturbing with a high attack success rate.
arXiv Detail & Related papers (2021-01-04T15:32:16Z)
TREND: Transferability based Robust ENsemble Design [6.663641564969944]
We study the effect of network architecture, input, weight and activation quantization on transferability of adversarial samples. We show that transferability is significantly hampered by input quantization between source and target. We propose a new state-of-the-art ensemble attack to combat this.
arXiv Detail & Related papers (2020-08-04T13:38:14Z)

This list is automatically generated from the titles and abstracts of the papers in this site.