Local Black-box Adversarial Attacks: A Query Efficient Approach

Xiang, Tao; Liu, Hangcheng; Guo, Shangwei; Zhang, Tianwei; Liao, Xiaofeng

doi:10.48550/arxiv.2101.01032

Cited by 5 publications

(7 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Qian et al [38] proposed the CFR attack using the interpretability of neural networks and an optimization-based attack. Xiang et al [44] utilized model interpretability and a gradient-based attack to generate an initial adversarial example. Then, they generated the final example through gradient estimation and random search.…”

Section: Local Adversarial Attacksmentioning

confidence: 99%

A Local Perturbation Generation Method for GAN-Generated Face Anti-Forensics

Zhang

Chen

Wang

et al. 2023

IEEE Trans. Circuits Syst. Video Technol.

View full text Add to dashboard Cite

Although the current generative adversarial networks (GAN)-generated face forensic detectors based on deep neural networks (DNNs) have achieved considerable performance, they are vulnerable to adversarial attacks. In this paper, an effective local perturbation generation method is proposed to expose the vulnerability of state-of-the-art forensic detectors. The main idea is to mine the fake faces' areas of common concern in multiple-detectors' decision-making, then generate local anti-forensic perturbations by GANs in these areas to enhance the visual quality and transferability of anti-forensic faces. Meanwhile, in order to improve the anti-forensic effect, a doublemask (soft mask and hard mask) strategy and a three-part loss (the GAN training loss, the adversarial loss consisting of ensemble classification loss and ensemble feature loss, and the regularization loss) are designed for the training of the generator. Experiments conducted on fake faces generated by StyleGAN demonstrate the proposed method's advantage over the state-of-the-art methods in terms of anti-forensic success rate, imperceptibility, and transferability. The source code is available at https://github.com/imagecbj/A-Local-Perturbation-Generation-Method-for-GAN-generated-Face-Anti-forensics.

show abstract

Section: Local Adversarial Attacksmentioning

confidence: 99%

A Local Perturbation Generation Method for GAN-Generated Face Anti-Forensics

Zhang

Chen

Wang

et al. 2023

IEEE Trans. Circuits Syst. Video Technol.

View full text Add to dashboard Cite

show abstract

“…As aforementioned, there have been white-box attacks or transfer-based attacks that restrict the perturbations to a small salient region. Specifically, white-box attack JSMA [26] constructs a BP-saliency map by calculating derivatives of the model output w.r.t input pixels [32], while the two transfer-based attacks [10,40] utilize CAM and Grad-CAM to extract salient regions, respectively. CAM [46] replaces the final fully connected layers with convolutional layers and global average pooling of a CNN, and localizes class-specific salient regions through forward propagation.…”

Section: Extracting Salient Regionmentioning

confidence: 99%

“…Thus, we propose the Saliency Attack, a novel black-box attack that recursively refines the perturbations in the salient region. It is worth mentioning that except white-box attack JSMA, the idea of restricting perturbations to a small region has also been implemented in transfer-based attacks [10,40], where class activation mapping (CAM) [46] and Grad-CAM [30] are adopted to generate the saliency maps. However, transfer-based attacks assume the data distribution for training the target model is available and thus could build a substitute model to approximate it, which actually belong to the grey-box setting where partial knowledge of the target model is known.…”

Section: Introductionmentioning

confidence: 99%

Saliency Attack: Towards Imperceptible Black-box Adversarial Attack

Dai¹,

Liu²,

Tang³

et al. 2022

Preprint

View full text Add to dashboard Cite

Deep neural networks are vulnerable to adversarial examples, even in the black-box setting where the attacker is only accessible to the model output. Recent studies have devised effective black-box attacks with high query efficiency. However, such performance is often accompanied by compromises in attack imperceptibility, hindering the practical use of these approaches. In this paper, we propose to restrict the perturbations to a small salient region to generate adversarial examples that can hardly be perceived. This approach is readily compatible with many existing black-box attacks and can significantly improve their imperceptibility with little degradation in attack success rate. Further, we propose the Saliency Attack, a new black-box attack aiming to refine the perturbations in the salient region to achieve even better imperceptibility. Extensive experiments show that compared to the state-of-the-art black-box attacks, our approach achieves much better imperceptibility scores, including most apparent distortion (MAD), 𝐿 0 and 𝐿 2 distances, and also obtains significantly higher success rates judged by a human-like threshold on MAD. Importantly, the perturbations generated by our approach are interpretable to some extent. Finally, it is also demonstrated to be robust to different detection-based defenses.

show abstract

“…Deep models are vulnerable to adversarial examples that are maliciously constructed to mislead the models to output wrong predictions but visually indistinguishable from normal samples [182]- [185]. Adversarial training [186]- [188] is one of the most effective approaches to defend deep models against adversarial examples and enhance their robustness.…”

Section: B Collaborative Adversarial Trainingmentioning

confidence: 99%

Robust and Privacy-Preserving Collaborative Learning: A Comprehensive Survey

Guo¹,

Zhang²,

Yang³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

With the rapid demand of data and computational resources in deep learning systems, a growing number of algorithms to utilize collaborative machine learning techniques, for example, federated learning, to train a shared deep model across multiple participants. It could effectively take advantage of resource of each participant and obtain a more powerful learning system. However, integrity and privacy threats in such systems have greatly obstructed the applications of collaborative learning. And a large amount of works have been proposed to maintain the model integrity and mitigate the privacy leakage of training data during the training phase for different collaborate learning systems. Compared with existing surveys that mainly focus on one specific collaborate learning system, this survey aims to provide a systematic and comprehensive review of security and privacy researches in collaborative learning. Our survey first provides the system overview of collaborative learning, followed by an brief introduction of integrity and privacy threats. In an organized way, we then detail the existing integrity and privacy attacks as well as their defenses. We also list some open problems in this area and opensource the related papers on GitHub: https://github.com/csl-cqu/awesome-secure-collebrativelearning-papers.

show abstract

Local Black-box Adversarial Attacks: A Query Efficient Approach

Cited by 5 publications

References 33 publications

A Local Perturbation Generation Method for GAN-Generated Face Anti-Forensics

A Local Perturbation Generation Method for GAN-Generated Face Anti-Forensics

Saliency Attack: Towards Imperceptible Black-box Adversarial Attack

Robust and Privacy-Preserving Collaborative Learning: A Comprehensive Survey

Contact Info

Product

Resources

About