Simple and Efficient Hard Label Black-box Adversarial Attacks in Low Query Budget Regimes

Shukla, Satya Narayan; Sahu, Anit Kumar; Willmott, Devin; Kolter, Zico

doi:10.1145/3447548.3467386

Cited by 23 publications

(11 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Adversarial training is a technique that has been shown to enhance the robustness of deep neural networks (DNNs) against adversarial attacks, particularly in static domains such as image [2,22,25] and graph [18,29,41,42] classification. This is achieved by incorporating adversarial examples, generated through adversarial attacks, into the training process.…”

Section: Introductionmentioning

confidence: 99%

Robust Spatiotemporal Traffic Forecasting with Reinforced Dynamic Adversarial Training

Liu

Zhang

2023

Proceedings of the 29th ACM SIGKDD Conference on Knowledge Discovery and Data Mining

View full text Add to dashboard Cite

Machine learning-based forecasting models are commonly used in Intelligent Transportation Systems (ITS) to predict traffic patterns and provide city-wide services. However, most of the existing models are susceptible to adversarial attacks, which can lead to inaccurate predictions and negative consequences such as congestion and delays. Therefore, improving the adversarial robustness of these models is crucial for ITS. In this paper, we propose a novel framework for incorporating adversarial training into spatiotemporal traffic forecasting tasks. We demonstrate that traditional adversarial training methods designated for static domains cannot be directly applied to traffic forecasting tasks, as they fail to effectively defend against dynamic adversarial attacks. Then, we propose a reinforcement learning-based method to learn the optimal node selection strategy for adversarial examples, which simultaneously strengthens the dynamic attack defense capability and reduces the model overfitting. Additionally, we introduce a self-knowledge distillation regularization module to overcome the "forgetting issue" caused by continuously changing adversarial nodes during training. We evaluate our approach on two real-world traffic datasets and demonstrate its superiority over other baselines. Our method effectively enhances the adversarial robustness of spatiotemporal traffic forecasting models. The source code for our framework is available at https://github.com/usail-hkust/RDAT. CCS CONCEPTS• Security and privacy → Mobile and wireless security; • Computing methodologies → Supervised learning.

show abstract

Section: Introductionmentioning

confidence: 99%

Robust Spatiotemporal Traffic Forecasting with Reinforced Dynamic Adversarial Training

Liu

Zhang

2023

Proceedings of the 29th ACM SIGKDD Conference on Knowledge Discovery and Data Mining

View full text Add to dashboard Cite

show abstract

“…Therefore, decision-based attacks with low query efficiency may be inapplicable in the real world. Recently, Shukla et al [22] presented a hard-label black-box attack in low query budget regimes through Bayesian optimization. Although the requisite number of queries is greatly reduced, the attack success rate remains unsatisfactory.…”

Section: Introductionmentioning

confidence: 99%

ADDA: An Adversarial Direction-Guided Decision-Based Attack via Multiple Surrogate Models

Li,

Liu

2023

Mathematics

View full text Add to dashboard Cite

Over the past decade, Convolutional Neural Networks (CNNs) have been extensively deployed in security-critical areas; however, the security of CNN models is threatened by adversarial attacks. Decision-based adversarial attacks, wherein an attacker relies solely on the final output label of the target model to craft adversarial examples, are the most challenging yet practical adversarial attacks. However, existing decision-based adversarial attacks generally suffer from poor query efficiency or low attack success rate, especially for targeted attacks. To address these issues, we propose a query-efficient Adversarial Direction-guided Decision-based Attack (ADDA), which exploits the advantages of transfer-based priors and the benefits of a single query. The transfer-based priors provided by the gradients of multiple different surrogate models can be utilized to suggest the most promising search directions for generating adversarial examples. The query consumption during the ADDA attack is mainly derived from a single query evaluation of the candidate adversarial samples, which significantly saves the number of queries. Experimental results on several ImageNet classifiers, including l∞ and l2 threat models, demonstrate that our proposed approach overwhelmingly outperforms existing state-of-the-art decision-based attacks in terms of both query efficiency and attack success rate. We show case studies of ADDA against a real-world API in which it is successfully able to fool the Google Cloud Vision API after only a few queries.

show abstract

“…Deep neural networks (DNNs) have obtained extraordinary achievements in a broad spectrum of areas (Al-Saffar, Tao, and Talab 2017;Torfi et al 2020;Batmaz et al 2019), but many works reveal that DNNs are extremely vulnerable to adversarial attacks (Shukla et al 2021;Mao et al 2021). Specifically, adversarial attacks can easily fool DNNs by employing adversarial examples (AEs), generated by imposing slight carefully crafted noises into natural examples.…”

Section: Introductionmentioning

confidence: 99%

“…There are two types of black-box attacks: query-based attacks (Shukla et al 2021;Yan et al 2020;Croce and Hein 2020) and transfer-based attacks (Dong et al 2018(Dong et al , 2019. Typically, query-based attacks (Shukla et al 2021;Croce and Hein 2020) need an avalanche of queries to the target model for approximately estimating the information required (input gradient). However, this resource-intensive query budget is costly and inevitably alerts the model owner, significantly limiting their applicability.…”

Section: Introductionmentioning

confidence: 99%

MaskBlock: Transferable Adversarial Examples with Bayes Approach

Fan¹,

Chen²,

Liu³

et al. 2022

Preprint

View full text Add to dashboard Cite

The transferability of adversarial examples (AEs) across diverse models is of critical importance for black-box adversarial attacks, where attackers cannot access the information about black-box models. However, crafted AEs always present poor transferability. In this paper, by regarding the transferability of AEs as generalization ability of the model, we reveal that vanilla black-box attacks craft AEs via solving a maximum likelihood estimation (MLE) problem. For MLE, the results probably are model-specific local optimum when available data is small, i.e., limiting the transferability of AEs. By contrast, we re-formulate crafting transferable AEs as the maximizing a posteriori probability estimation problem, which is an effective approach to boost the generalization of results with limited available data. Because Bayes posterior inference is commonly intractable, a simple yet effective method called MaskBlock is developed to approximately estimate. Moreover, we show that the formulated framework is a generalization version for various attack methods. Extensive experiments illustrate MaskBlock can significantly improve the transferability of crafted adversarial examples by up to about 20%.

show abstract

Simple and Efficient Hard Label Black-box Adversarial Attacks in Low Query Budget Regimes

Cited by 23 publications

References 16 publications

Robust Spatiotemporal Traffic Forecasting with Reinforced Dynamic Adversarial Training

Robust Spatiotemporal Traffic Forecasting with Reinforced Dynamic Adversarial Training

ADDA: An Adversarial Direction-Guided Decision-Based Attack via Multiple Surrogate Models

MaskBlock: Transferable Adversarial Examples with Bayes Approach

Contact Info

Product

Resources

About