Towards Evaluating Transfer-based Attacks Systematically, Practically, and Fairly

• URL: http://arxiv.org/abs/2311.01323v1
• Date: Thu, 2 Nov 2023 15:35:58 GMT
• Title: Towards Evaluating Transfer-based Attacks Systematically, Practically, and Fairly
• Authors: Qizhang Li, Yiwen Guo, Wangmeng Zuo, Hao Chen
• Abstract summary: adversarial vulnerability of deep neural networks (DNNs) has drawn great attention. An increasing number of transfer-based methods have been developed to fool black-box DNN models. We establish a transfer-based attack benchmark (TA-Bench) which implements 30+ methods.
• Score: 79.07074710460012
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: The adversarial vulnerability of deep neural networks (DNNs) has drawn great attention due to the security risk of applying these models in real-world applications. Based on transferability of adversarial examples, an increasing number of transfer-based methods have been developed to fool black-box DNN models whose architecture and parameters are inaccessible. Although tremendous effort has been exerted, there still lacks a standardized benchmark that could be taken advantage of to compare these methods systematically, fairly, and practically. Our investigation shows that the evaluation of some methods needs to be more reasonable and more thorough to verify their effectiveness, to avoid, for example, unfair comparison and insufficient consideration of possible substitute/victim models. Therefore, we establish a transfer-based attack benchmark (TA-Bench) which implements 30+ methods. In this paper, we evaluate and compare them comprehensively on 25 popular substitute/victim models on ImageNet. New insights about the effectiveness of these methods are gained and guidelines for future evaluations are provided. Code at: https://github.com/qizhangli/TA-Bench.

Related papers

• MIBench: A Comprehensive Benchmark for Model Inversion Attack and Defense [43.71365087852274]
  Model Inversion (MI) attacks aim at leveraging the output information of target models to reconstruct privacy-sensitive training data. The lack of a comprehensive, aligned, and reliable benchmark has emerged as a formidable challenge. We introduce the first practical benchmark for model inversion attacks and defenses to address this critical gap, which is named textitMIBench
  arXiv  Detail & Related papers  (2024-10-07T16:13:49Z)
• Enhancing Adversarial Attacks: The Similar Target Method [6.293148047652131]
  adversarial examples pose a threat to deep neural networks' applications. Deep neural networks are vulnerable to adversarial examples, posing a threat to the models' applications and raising security concerns. We propose a similar targeted attack method named Similar Target(ST)
  arXiv  Detail & Related papers  (2023-08-21T14:16:36Z)
• Benchmarking Test-Time Adaptation against Distribution Shifts in Image Classification [77.0114672086012]
  Test-time adaptation (TTA) is a technique aimed at enhancing the generalization performance of models by leveraging unlabeled samples solely during prediction. We present a benchmark that systematically evaluates 13 prominent TTA methods and their variants on five widely used image classification datasets.
  arXiv  Detail & Related papers  (2023-07-06T16:59:53Z)
• Better Understanding Differences in Attribution Methods via Systematic Evaluations [57.35035463793008]
  Post-hoc attribution methods have been proposed to identify image regions most influential to the models' decisions. We propose three novel evaluation schemes to more reliably measure the faithfulness of those methods. We use these evaluation schemes to study strengths and shortcomings of some widely used attribution methods over a wide range of models.
  arXiv  Detail & Related papers  (2023-03-21T14:24:58Z)
• Making Substitute Models More Bayesian Can Enhance Transferability of Adversarial Examples [89.85593878754571]
  transferability of adversarial examples across deep neural networks is the crux of many black-box attacks. We advocate to attack a Bayesian model for achieving desirable transferability. Our method outperforms recent state-of-the-arts by large margins.
  arXiv  Detail & Related papers  (2023-02-10T07:08:13Z)
• Towards Better Understanding Attribution Methods [77.1487219861185]
  Post-hoc attribution methods have been proposed to identify image regions most influential to the models' decisions. We propose three novel evaluation schemes to more reliably measure the faithfulness of those methods. We also propose a post-processing smoothing step that significantly improves the performance of some attribution methods.
  arXiv  Detail & Related papers  (2022-05-20T20:50:17Z)
• Detection Defense Against Adversarial Attacks with Saliency Map [7.736844355705379]
  It is well established that neural networks are vulnerable to adversarial examples, which are almost imperceptible on human vision. Existing defenses are trend to harden the robustness of models against adversarial attacks. We propose a novel method combined with additional noises and utilize the inconsistency strategy to detect adversarial examples.
  arXiv  Detail & Related papers  (2020-09-06T13:57:17Z)
• Yet Another Intermediate-Level Attack [31.055720988792416]
  The transferability of adversarial examples across deep neural network (DNN) models is the crux of a spectrum of black-box attacks. We propose a novel method to enhance the black-box transferability of baseline adversarial examples.
  arXiv  Detail & Related papers  (2020-08-20T09:14:04Z)
• Towards Transferable Adversarial Attack against Deep Face Recognition [58.07786010689529]
  Deep convolutional neural networks (DCNNs) have been found to be vulnerable to adversarial examples. transferable adversarial examples can severely hinder the robustness of DCNNs. We propose DFANet, a dropout-based method used in convolutional layers, which can increase the diversity of surrogate models. We generate a new set of adversarial face pairs that can successfully attack four commercial APIs without any queries.
  arXiv  Detail & Related papers  (2020-04-13T06:44:33Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.