Substitute Model Generation for Black-Box Adversarial Attack Based on Knowledge Distillation

Cui, Weiyu; Li, Xiaorui; Huang, Jiawei; Wang, Wenyi; Wang, Shuai; Chen, Jianwen

doi:10.1109/icip40778.2020.9191063

Cited by 15 publications

(8 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…With the in‐depth study of black‐box attacks on deep learning models, substitute‐based adversarial attacks have received a lot of attention. Cui et al 61 proposed an algorithm to generate the substitute model of CNN models by using knowledge distillation and boosting the attacking success rate by 20%. Gao et al 62 integrated linear augmentation into substitute training and achieved success rates of 97.7% and 92.8% in MNIST and GTSRB classifiers.…”

Section: Related Workmentioning

confidence: 99%

Cheating your apps: Black‐box adversarial attacks on deep learning apps

Cao

Zhou

et al. 2023

J Software Evolu Process

View full text Add to dashboard Cite

Deep learning is a powerful technique to boost application performance in various fields, including face recognition, image classification, natural language understanding, and recommendation system. With the rapid increase in the computing power of mobile devices, developers can embed deep learning models into their apps for building more competitive products with more accurate and faster responses. Although there are several works of adversarial attacks against deep learning models in apps, they all need information about the models' internals (i.e., structures and weights) or need to modify the models. In this paper, we propose an effective black‐box approach by training substitute models to spoof the deep learning systems inside the apps. We evaluate our approach on 10 real‐world deep‐learning apps from Google Play to perform black‐box adversarial attacks. Through the study, we find three factors that can affect the performance of attacks. Our approach can reach a relatively high attack success rate of 66.60% on average. Compared with other adversarial attacks on mobile deep learning models, in terms of the average attack success rates, our approach outperforms its counterparts by 27.63%.

show abstract

Section: Related Workmentioning

confidence: 99%

Cheating your apps: Black‐box adversarial attacks on deep learning apps

Cao

Zhou

et al. 2023

J Software Evolu Process

View full text Add to dashboard Cite

show abstract

“…[30] illustrates that deep neural networks are susceptible to adversarial perturbations. Subsequently, more and more works [2][3][4][5]7,8,11,17,19,21,24,34] focus on the adversarial example generation task. In general, the attack task can be divided into white-box and black-box attacks, the former one can know the knowledge of the structure and parameters of the target model, and the latter one only has the access to the simple output of the target.…”

Section: Related Workmentioning

confidence: 99%

“…Most white-box algorithms [2,5,8,17,21,24] generate adversarial examples based on the gradient of loss function with respect to the inputs. For the black-box attack, some methods [3,4,7] iteratively query the outputs of target model and estimate the gradient of target model via training a substitute model; and others [11,19,34] focus on improving the transferability of adversarial examples across different models. In this work, we focus on the more practical and challenging scenario, i.e., the data-free black-box attack, which attacks the black-box target model without the need for any real data samples.…”

Section: Related Workmentioning

confidence: 99%

“…Adversarial attack methods can be categorized into two main settings, i.e., white-box attack [2,5,17,21,24] and black-box attack [3,3,4,6,7,12,13,35], by whether or not the attackers can have full access to the structure and parameters of the target model. Nowadays, in the era of big data, data is one of the most valuable assets for companies, and much of it also has privacy issues.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

DST: Dynamic Substitute Training for Data-free Black-box Attack

Wang¹,

Qian²,

Fu³

et al. 2022

Preprint

View full text Add to dashboard Cite

With the wide applications of deep neural network models in various computer vision tasks, more and more works study the model vulnerability to adversarial examples. For data-free black box attack scenario, existing methods are inspired by the knowledge distillation, and thus usually train a substitute model to learn knowledge from the target model using generated data as input. However, the substitute model always has a static network structure, which limits the attack ability for various target models and tasks. In this paper, we propose a novel dynamic substitute training attack method to encourage substitute model to learn better and faster from the target model. Specifically, a dynamic substitute structure learning strategy is proposed to adaptively generate optimal substitute model structure via a dynamic gate according to different target models and tasks. Moreover, we introduce a task-driven graph-based structure information learning constrain to improve the quality of generated training data, and facilitate the substitute model learning structural relationships from the target model multiple outputs. Extensive experiments have been conducted to verify the efficacy of the proposed attack method, which can achieve better performance compared with the state-ofthe-art competitors on several datasets.

show abstract

“…In query-based attacks [6,7,8], only the classification results or probability distribution information can be obtained by attackers. In transfer-based attacks [9,10,11], attackers can transfer part of queries from the black-box model to the local agent model selected by the attackers, in order to alle- viate the high-frequency query to the black-box model. In meta-learning-based attacks [12], attackers use the characteristics of meta-learning and knowledge distillation to make transfered simulator model more adaptable.…”

Section: Introductionmentioning

confidence: 99%

Simulator Attack+ for Black-Box Adversarial Attack

Ding

Chen

et al. 2022

2022 IEEE International Conference on Image Processing (ICIP)

View full text Add to dashboard Cite

Numerous researches on adversarial black-box attacks have proved that deep neural networks have certain insecurity. However, the current black-box attack methods still have shortages in incomplete utilization of query information. The newly proposed Simulator Attack based on meta-learning shows good performance in query-efficiency but still misses some hidden information. For this disadvantage, our research finds the usability of the feature layer output information in a simulator model for the first time. Then we propose an optimized Simulator Attack+ framework based on this discovery. By conducting experiments on the CIFAR-10 and CIFAR-100 datasets, results legibly show that Simulator Attack+ can further reduce the number of consuming queries to improve query-efficiency meanwhile maintaining attack effect. Our code is available at https://github.com/Rain117E/ SimulatorAttackplus.

show abstract

Substitute Model Generation for Black-Box Adversarial Attack Based on Knowledge Distillation

Cited by 15 publications

References 12 publications

Cheating your apps: Black‐box adversarial attacks on deep learning apps

Cheating your apps: Black‐box adversarial attacks on deep learning apps

DST: Dynamic Substitute Training for Data-free Black-box Attack

Simulator Attack+ for Black-Box Adversarial Attack

Contact Info

Product

Resources

About