2018
DOI: 10.48550/arxiv.1807.04457
|View full text |Cite
Preprint
|
Sign up to set email alerts
|

Query-Efficient Hard-label Black-box Attack:An Optimization-based Approach

Abstract: We study the problem of attacking a machine learning model in the hard-label black-box setting, where no model information is revealed except that the attacker can make queries to probe the corresponding hard-label decisions. This is a very challenging problem since the direct extension of state-of-the-art white-box attacks (e.g., C&W or PGD) to the hard-label black-box setting will require minimizing a non-continuous step function, which is combinatorial and cannot be solved by a gradient-based optimizer. The… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
2
1

Citation Types

0
123
0
2

Year Published

2018
2018
2022
2022

Publication Types

Select...
3
2
2

Relationship

2
5

Authors

Journals

citations
Cited by 77 publications
(125 citation statements)
references
References 14 publications
0
123
0
2
Order By: Relevance
“…On each of the dataset Cifar-10, Cifar-100, Tiered T 84 , and Tiered V 56 , we train the seven models ResNet-18, -34, SeResNet-26, VGG-16, MobileNet-V1, MobileNet-V3, and DenseNet-26. The network architectures of all the seven models are defined in the public GitHub repository 5 . We use consistent hyper-parameters to train all the models for 80,000 iterations without data augmentation.…”
Section: A Appendixmentioning
confidence: 99%
See 2 more Smart Citations
“…On each of the dataset Cifar-10, Cifar-100, Tiered T 84 , and Tiered V 56 , we train the seven models ResNet-18, -34, SeResNet-26, VGG-16, MobileNet-V1, MobileNet-V3, and DenseNet-26. The network architectures of all the seven models are defined in the public GitHub repository 5 . We use consistent hyper-parameters to train all the models for 80,000 iterations without data augmentation.…”
Section: A Appendixmentioning
confidence: 99%
“…In lots of cases, the attack success rate of ICE is more than twice as much as that of baselines, which further indicates the effectiveness of the proposed ICE. 5 https://github.com/yxlijun/cifar-tensorflow…”
Section: A Appendixmentioning
confidence: 99%
See 1 more Smart Citation
“…Ilyas et al [8] picked a target image and fine-tuned it toward the original image. Cheng et al [9,10] applied randomized gradient-free ZOO techniques.…”
Section: Related Workmentioning
confidence: 99%
“…Depending on the knowledge about the DNNs that the attackers have, adversarial attacks can be classified into white-box attacks [1,[3][4][5] and black-box attacks [6][7][8][9][10][11][12][13]. The former assumes that the attackers have complete knowledge of the deep network, while the latter assumes that the attackers have limited knowledge, typically some output information of the DNNs.…”
Section: Introductionmentioning
confidence: 99%