AutoZOOM: Autoencoder-based Zeroth Order Optimization Method for Attacking Black-box Neural Networks

Tu, Chun‐Chen; Ting, Pei‐Yih; Chen, Pin-Yu; Liu, Sijia; Zhang, Huan; Yi, Jinfeng; Hsieh, Cho‐Jui; Cheng, Shin‐Ming

doi:10.48550/arxiv.1805.11770

Cited by 19 publications

(39 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• ZOO (Chen et al, 2017b) (and also (Liu et al, 2017;Bhagoji et al, 2018;Tu et al, 2018)) numerically estimates gradients and then performs gradient descent, making it powerful but potentially ineffective when the loss surface is difficult to optimize over.…”

Section: Apply Gradient-free Attacksmentioning

confidence: 99%

On Evaluating Adversarial Robustness

Carlini,

Athalye,

Papernot

et al. 2019

Preprint

174

262

View full text Add to dashboard Cite

Correctly evaluating defenses against adversarial examples has proven to be extremely difficult. Despite the significant amount of recent work attempting to design defenses that withstand adaptive attacks, few have succeeded; most papers that propose defenses are quickly shown to be incorrect. We believe a large contributing factor is the difficulty of performing security evaluations. In this paper, we discuss the methodological foundations, review commonly accepted best practices, and suggest new methods for evaluating defenses to adversarial examples. We hope that both researchers developing defenses as well as readers and reviewers who wish to understand the completeness of an evaluation consider our advice in order to avoid common pitfalls.

show abstract

Section: Apply Gradient-free Attacksmentioning

confidence: 99%

On Evaluating Adversarial Robustness

Carlini,

Athalye,

Papernot

et al. 2019

Preprint

174

262

View full text Add to dashboard Cite

show abstract

“…The loss L(ĝ) is the minimum expected squared 2 distance between the true gradient ∇f (x) and scaled estimator bĝ. The previous work [32] also uses the expected squared 2 distance E ∇f (x) − ĝ 2 2 as the loss function, which is similar to ours. However, the value of this loss function will change with different magnitude of the estimator ĝ.…”

Section: Gradient Estimation Frameworkmentioning

confidence: 93%

“…Many methods [27,6,3,7,16,24,32,17] have been proposed to perform black-box adversarial attacks. A common idea is to use an approximate gradient instead of the true gradient for crafting adversarial examples.…”

Section: Introductionmentioning

confidence: 99%

“…The reason is that there lacks an adjustment procedure in transferbased attacks when the gradient of the surrogate model points to a non-adversarial region of the target model. In query-based attacks, the gradient can be estimated by various methods, such as finite difference [6,24], random gradient estimation [32], and natural evolution strategy [16]. These methods usually result in a higher attack success rate compared with the transfer-based attack methods [6,24], but they require a tremendous number of queries to perform a successful attack.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Improving Black-box Adversarial Attacks with a Transfer-based Prior

Cheng,

Dong,

Pang

et al. 2019

Preprint

View full text Add to dashboard Cite

We consider the black-box adversarial setting, where the adversary has to generate adversarial perturbations without access to the target models to compute gradients. Previous methods tried to approximate the gradient either by using a transfer gradient of a surrogate white-box model, or based on the query feedback. However, these methods often suffer from low attack success rates or poor query efficiency since it is non-trivial to estimate the gradient in a high-dimensional space with limited information. To address these problems, we propose a prior-guided random gradient-free (P-RGF) method to improve black-box adversarial attacks, which takes the advantage of a transfer-based prior and the query information simultaneously. The transfer-based prior given by the gradient of a surrogate model is appropriately integrated into our algorithm by an optimal coefficient derived by a theoretical analysis. Extensive experiments demonstrate that our method requires much fewer queries to attack black-box models with higher success rates compared with the alternative state-of-the-art methods.

show abstract

“…STO aims to secure a system by deliberately hiding or concealing its security flaws Van Oorschot [2003]. Interestingly, some recent works have shown that even in such a "black-box" setting, it is possible to fool the ML classifier with a high probability Chen et al [2017b], Papernot et al [2017], Bhagoji et al [2017], , Tu et al [2018]. These black-box attacks can be broadly classified in two categories: 1) knowledge transfer based attacks, and, 2) zeroth-order optimization based attacks.…”

Section: Introductionmentioning

confidence: 99%

Universal Decision-Based Black-Box Perturbations: Breaking Security-Through-Obscurity Defenses

Hogan¹,

Kailkhura²

2018

Preprint

View full text Add to dashboard Cite

We study the problem of finding a universal (image-agnostic) perturbation to fool machine learning (ML) classifiers (e.g., neural nets, decision tress) in the hard-label black-box setting. Recent work in adversarial ML in the white-box setting (model parameters are known) has shown that many state-of-the-art image classifiers are vulnerable to universal adversarial perturbations: a fixed human-imperceptible perturbation that, when added to any image, causes it to be misclassified with high probability Kurakin et al. [2016], , Chen et al. [2017a], Carlini and Wagner [2017]. This paper considers a more practical and challenging problem of finding such universal perturbations in an obscure (or black-box) setting. More specifically, we use zeroth order optimization algorithms to find such a universal adversarial perturbation when no model information is revealed-except that the attacker can make queries to probe the classifier. We further relax the assumption that the output of a query is continuous valued confidence scores for all the classes and consider the case where the output is a hard-label decision. Surprisingly, we found that even in these extremely obscure regimes, state-of-theart ML classifiers can be fooled with a very high probability just by adding a single human-imperceptible image perturbation to any natural image. The surprising existence of universal perturbations in a hard-label (or decision-based) black-box setting raises serious security concerns with the existence of a universal noise vector that adversaries can possibly exploit to break a classifier on most natural images.

show abstract

AutoZOOM: Autoencoder-based Zeroth Order Optimization Method for Attacking Black-box Neural Networks

Cited by 19 publications

References 17 publications

On Evaluating Adversarial Robustness

On Evaluating Adversarial Robustness

Improving Black-box Adversarial Attacks with a Transfer-based Prior

Universal Decision-Based Black-Box Perturbations: Breaking Security-Through-Obscurity Defenses

Contact Info

Product

Resources

About