Substitute Model Generation for Black-Box Adversarial Attack Based on Knowledge Distillation

Title	Substitute Model Generation for Black-Box Adversarial Attack Based on Knowledge Distillation
Publication Type	Conference Paper
Year of Publication	2020
Authors	Cui, W., Li, X., Huang, J., Wang, W., Wang, S., Chen, J.
Conference Name	2020 IEEE International Conference on Image Processing (ICIP)
Keywords	adversarial attack perturbation, adversarial samples, Approximation algorithms, attacking success rate, black box encryption, black-box adversarial attack, black-box adversarial samples, black-box CNN models, black-box models, classification mechanism, compact student model, composability, Computational modeling, Computer vision, computer vision tasks, convolutional neural nets, convolutional neural networks, deep convolutional neural network, DenseNet121, image classification, knowledge distillation, learning (artificial intelligence), Metrics, multiple CNN teacher models, Perturbation methods, Predictive models, pubcrawl, Resiliency, ResNet18, substitute model, substitute model generation, Task Analysis, Training, white-box attacking methods
Abstract	Although deep convolutional neural network (CNN) performs well in many computer vision tasks, its classification mechanism is very vulnerable when it is exposed to the perturbation of adversarial attacks. In this paper, we proposed a new algorithm to generate the substitute model of black-box CNN models by using knowledge distillation. The proposed algorithm distills multiple CNN teacher models to a compact student model as the substitution of other black-box CNN models to be attacked. The black-box adversarial samples can be consequently generated on this substitute model by using various white-box attacking methods. According to our experiments on ResNet18 and DenseNet121, our algorithm boosts the attacking success rate (ASR) by 20% by training the substitute model based on knowledge distillation.
DOI	10.1109/ICIP40778.2020.9191063
Citation Key	cui_substitute_2020