Gradient Aligned Attacks via a Few Queries
- URL: http://arxiv.org/abs/2205.09518v2
- Date: Wed, 3 May 2023 02:10:31 GMT
- Title: Gradient Aligned Attacks via a Few Queries
- Authors: Xiangyuan Yang, Jie Lin, Hanlin Zhang, Xinyu Yang, Peng Zhao
- Abstract summary: Black-box query attacks show low performance in a novel scenario where only a few queries are allowed.
We propose gradient aligned attacks (GAA) which use the gradient aligned losses to improve the attack performance on the victim model.
Our proposed gradient aligned attacks and losses show significant improvements in the attack performance and query efficiency of black-box query attacks.
- Score: 18.880398046794138
- License: http://creativecommons.org/publicdomain/zero/1.0/
- Abstract: Black-box query attacks, which rely only on the output of the victim model,
have proven to be effective in attacking deep learning models. However,
existing black-box query attacks show low performance in a novel scenario where
only a few queries are allowed. To address this issue, we propose gradient
aligned attacks (GAA), which use the gradient aligned losses (GAL) we designed
on the surrogate model to estimate the accurate gradient to improve the attack
performance on the victim model. Specifically, we propose a gradient aligned
mechanism to ensure that the derivatives of the loss function with respect to
the logit vector have the same weight coefficients between the surrogate and
victim models. Using this mechanism, we transform the cross-entropy (CE) loss
and margin loss into gradient aligned forms, i.e. the gradient aligned CE or
margin losses. These losses not only improve the attack performance of our
gradient aligned attacks in the novel scenario but also increase the query
efficiency of existing black-box query attacks. Through theoretical and
empirical analysis on the ImageNet database, we demonstrate that our gradient
aligned mechanism is effective, and that our gradient aligned attacks can
improve the attack performance in the novel scenario by 16.1\% and 31.3\% on
the $l_2$ and $l_{\infty}$ norms of the box constraint, respectively, compared
to four latest transferable prior-based query attacks. Additionally, the
gradient aligned losses also significantly reduce the number of queries
required in these transferable prior-based query attacks by a maximum factor of
2.9 times. Overall, our proposed gradient aligned attacks and losses show
significant improvements in the attack performance and query efficiency of
black-box query attacks, particularly in scenarios where only a few queries are
allowed.
Related papers
- Advancing Generalized Transfer Attack with Initialization Derived Bilevel Optimization and Dynamic Sequence Truncation [49.480978190805125]
Transfer attacks generate significant interest for black-box applications.
Existing works essentially directly optimize the single-level objective w.r.t. surrogate model.
We propose a bilevel optimization paradigm, which explicitly reforms the nested relationship between the Upper-Level (UL) pseudo-victim attacker and the Lower-Level (LL) surrogate attacker.
arXiv Detail & Related papers (2024-06-04T07:45:27Z) - Efficient Black-box Adversarial Attacks via Bayesian Optimization Guided by a Function Prior [36.101904669291436]
This paper studies the challenging black-box adversarial attack that aims to generate examples against a black-box model by only using output feedback of the model to input queries.
We propose a Prior-guided Bayesian Optimization (P-BO) algorithm that leverages the surrogate model as a global function prior in black-box adversarial attacks.
Our theoretical analysis on the regret bound indicates that the performance of P-BO may be affected by a bad prior.
arXiv Detail & Related papers (2024-05-29T14:05:16Z) - Defense Against Model Extraction Attacks on Recommender Systems [53.127820987326295]
We introduce Gradient-based Ranking Optimization (GRO) to defend against model extraction attacks on recommender systems.
GRO aims to minimize the loss of the protected target model while maximizing the loss of the attacker's surrogate model.
Results show GRO's superior effectiveness in defending against model extraction attacks.
arXiv Detail & Related papers (2023-10-25T03:30:42Z) - CGBA: Curvature-aware Geometric Black-box Attack [39.63633212337113]
Decision-based black-box attacks often necessitate a large number of queries to craft an adversarial example.
We propose a novel query-efficient curvature-aware geometric decision-based black-box attack (CGBA)
We develop a new query-efficient variant, CGBA-H, that is adapted for the targeted attack.
arXiv Detail & Related papers (2023-08-06T17:18:04Z) - Logit Margin Matters: Improving Transferable Targeted Adversarial Attack
by Logit Calibration [85.71545080119026]
Cross-Entropy (CE) loss function is insufficient to learn transferable targeted adversarial examples.
We propose two simple and effective logit calibration methods, which are achieved by downscaling the logits with a temperature factor and an adaptive margin.
Experiments conducted on the ImageNet dataset validate the effectiveness of the proposed methods.
arXiv Detail & Related papers (2023-03-07T06:42:52Z) - Query Efficient Cross-Dataset Transferable Black-Box Attack on Action
Recognition [99.29804193431823]
Black-box adversarial attacks present a realistic threat to action recognition systems.
We propose a new attack on action recognition that addresses these shortcomings by generating perturbations.
Our method achieves 8% and higher 12% deception rates compared to state-of-the-art query-based and transfer-based attacks.
arXiv Detail & Related papers (2022-11-23T17:47:49Z) - Attackar: Attack of the Evolutionary Adversary [0.0]
This paper introduces textitAttackar, an evolutionary, score-based, black-box attack.
Attackar is based on a novel objective function that can be used in gradient-free optimization problems.
Our results demonstrate the superior performance of Attackar, both in terms of accuracy score and query efficiency.
arXiv Detail & Related papers (2022-08-17T13:57:23Z) - Query-Efficient Black-box Adversarial Attacks Guided by a Transfer-based
Prior [50.393092185611536]
We consider the black-box adversarial setting, where the adversary needs to craft adversarial examples without access to the gradients of a target model.
Previous methods attempted to approximate the true gradient either by using the transfer gradient of a surrogate white-box model or based on the feedback of model queries.
We propose two prior-guided random gradient-free (PRGF) algorithms based on biased sampling and gradient averaging.
arXiv Detail & Related papers (2022-03-13T04:06:27Z) - Towards Query-Efficient Black-Box Adversary with Zeroth-Order Natural
Gradient Descent [92.4348499398224]
Black-box adversarial attack methods have received special attentions owing to their practicality and simplicity.
We propose a zeroth-order natural gradient descent (ZO-NGD) method to design the adversarial attacks.
ZO-NGD can obtain significantly lower model query complexities compared with state-of-the-art attack methods.
arXiv Detail & Related papers (2020-02-18T21:48:54Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.