MaskBlock: Transferable Adversarial Examples with Bayes Approach

• URL: http://arxiv.org/abs/2208.06538v1
• Date: Sat, 13 Aug 2022 01:20:39 GMT
• Title: MaskBlock: Transferable Adversarial Examples with Bayes Approach
• Authors: Mingyuan Fan, Cen Chen, Ximeng Liu, Wenzhong Guo
• Abstract summary: The transferability of adversarial examples across diverse models is of critical importance for black-box adversarial attacks. We show that vanilla black-box attacks craft AEs via solving a maximum likelihood estimation (MLE) problem. We re-formulate crafting transferable AEs as the maximizing a posteriori probability estimation problem, which is an effective approach to boost the generalization of results with limited available data.
• Score: 35.237713022434235
• License: http://creativecommons.org/licenses/by-nc-nd/4.0/
• Abstract: The transferability of adversarial examples (AEs) across diverse models is of critical importance for black-box adversarial attacks, where attackers cannot access the information about black-box models. However, crafted AEs always present poor transferability. In this paper, by regarding the transferability of AEs as generalization ability of the model, we reveal that vanilla black-box attacks craft AEs via solving a maximum likelihood estimation (MLE) problem. For MLE, the results probably are model-specific local optimum when available data is small, i.e., limiting the transferability of AEs. By contrast, we re-formulate crafting transferable AEs as the maximizing a posteriori probability estimation problem, which is an effective approach to boost the generalization of results with limited available data. Because Bayes posterior inference is commonly intractable, a simple yet effective method called MaskBlock is developed to approximately estimate. Moreover, we show that the formulated framework is a generalization version for various attack methods. Extensive experiments illustrate MaskBlock can significantly improve the transferability of crafted adversarial examples by up to about 20%.

Related papers

• Transferable Adversarial Attacks on SAM and Its Downstream Models [87.23908485521439]
  This paper explores the feasibility of adversarial attacking various downstream models fine-tuned from the segment anything model (SAM) To enhance the effectiveness of the adversarial attack towards models fine-tuned on unknown datasets, we propose a universal meta-initialization (UMI) algorithm.
  arXiv  Detail & Related papers  (2024-10-26T15:04:04Z)
• Enhancing Adversarial Transferability with Adversarial Weight Tuning [36.09966860069978]
  adversarial examples (AEs) mislead the model while appearing benign to human observers. AWT is a data-free tuning method that combines gradient-based and model-based attack methods to enhance the transferability of AEs.
  arXiv  Detail & Related papers  (2024-08-18T13:31:26Z)
• Enhancing targeted transferability via feature space fine-tuning [21.131915084053894]
  Adrial examples (AEs) have been extensively studied due to their potential for privacy protection and inspiring robust neural networks. We propose fine-tuning an AE crafted by existing simple iterative attacks to make it transferable across unknown models.
  arXiv  Detail & Related papers  (2024-01-05T09:46:42Z)
• DifAttack: Query-Efficient Black-Box Attack via Disentangled Feature Space [6.238161846680642]
  This work investigates efficient score-based black-box adversarial attacks with a high Attack Success Rate (ASR) and good generalizability. We design a novel attack method based on a Disentangled Feature space, called DifAttack, which differs significantly from the existing ones operating over the entire feature space.
  arXiv  Detail & Related papers  (2023-09-26T00:15:13Z)
• GNP Attack: Transferable Adversarial Examples via Gradient Norm Penalty [14.82389560064876]
  Adversarial examples (AE) with good transferability enable practical black-box attacks on diverse target models. We propose a novel approach to enhance AE transferability using Gradient Norm Penalty (GNP) By attacking 11 state-of-the-art deep learning models and 6 advanced defense methods, we empirically show that GNP is very effective in generating AE with high transferability.
  arXiv  Detail & Related papers  (2023-07-09T05:21:31Z)
• On the Transferability of Adversarial Examples between Encrypted Models [20.03508926499504]
  We investigate the transferability of models encrypted for adversarially robust defense for the first time. In an image-classification experiment, the use of encrypted models is confirmed not only to be robust against AEs but to also reduce the influence of AEs.
  arXiv  Detail & Related papers  (2022-09-07T08:50:26Z)
• Learning to Learn Transferable Attack [77.67399621530052]
  Transfer adversarial attack is a non-trivial black-box adversarial attack that aims to craft adversarial perturbations on the surrogate model and then apply such perturbations to the victim model. We propose a Learning to Learn Transferable Attack (LLTA) method, which makes the adversarial perturbations more generalized via learning from both data and model augmentation. Empirical results on the widely-used dataset demonstrate the effectiveness of our attack method with a 12.85% higher success rate of transfer attack compared with the state-of-the-art methods.
  arXiv  Detail & Related papers  (2021-12-10T07:24:21Z)
• Local Black-box Adversarial Attacks: A Query Efficient Approach [64.98246858117476]
  Adrial attacks have threatened the application of deep neural networks in security-sensitive scenarios. We propose a novel framework to perturb the discriminative areas of clean examples only within limited queries in black-box attacks. We conduct extensive experiments to show that our framework can significantly improve the query efficiency during black-box perturbing with a high attack success rate.
  arXiv  Detail & Related papers  (2021-01-04T15:32:16Z)
• Decision-based Universal Adversarial Attack [55.76371274622313]
  In black-box setting, current universal adversarial attack methods utilize substitute models to generate the perturbation. We propose an efficient Decision-based Universal Attack (DUAttack) The effectiveness of DUAttack is validated through comparisons with other state-of-the-art attacks.
  arXiv  Detail & Related papers  (2020-09-15T12:49:03Z)
• Two Sides of the Same Coin: White-box and Black-box Attacks for Transfer Learning [60.784641458579124]
  We show that fine-tuning effectively enhances model robustness under white-box FGSM attacks. We also propose a black-box attack method for transfer learning models which attacks the target model with the adversarial examples produced by its source model. To systematically measure the effect of both white-box and black-box attacks, we propose a new metric to evaluate how transferable are the adversarial examples produced by a source model to a target model.
  arXiv  Detail & Related papers  (2020-08-25T15:04:32Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.