Visible to the public Query-Efficient Target-Agnostic Black-Box Attack

Submitted by aekwall on Fri, 03/31/2023 - 9:35am
TitleQuery-Efficient Target-Agnostic Black-Box Attack
Publication TypeConference Paper
Year of Publication2022
AuthorsMoraffah, Raha, Liu, Huan
Conference Name2022 IEEE International Conference on Data Mining (ICDM)
KeywordsBehavioral sciences, Black Box Attacks, black-box attack, Closed box, Complexity theory, composability, Deep Learning, DNN, DNN Security., Knowledge engineering, meta-learning, Metrics, MIMICs, Neural networks, Output Diversifying Sampling, pubcrawl, Resiliency, Surrogate, Target-agnostic Attack, Transferability-based Attack
AbstractAdversarial attacks have recently been proposed to scrutinize the security of deep neural networks. Most blackbox adversarial attacks, which have partial access to the target through queries, are target-specific; e.g., they require a well-trained surrogate that accurately mimics a given target. In contrast, target-agnostic black-box attacks are developed to attack any target; e.g., they learn a generalized surrogate that can adapt to any target via fine-tuning on samples queried from the target. Despite their success, current state-of-the-art target-agnostic attacks require tremendous fine-tuning steps and consequently an immense number of queries to the target to generate successful attacks. The high query complexity of these attacks makes them easily detectable and thus defendable. We propose a novel query-efficient target-agnostic attack that trains a generalized surrogate network to output the adversarial directions iv.r.t. the inputs and equip it with an effective fine-tuning strategy that only fine-tunes the surrogate when it fails to provide useful directions to generate the attacks. Particularly, we show that to effectively adapt to any target and generate successful attacks, it is sufficient to fine-tune the surrogate with informative samples that help the surrogate get out of the failure mode with additional information on the target's local behavior. Extensive experiments on CIFAR10 and CIFAR-100 datasets demonstrate that the proposed target-agnostic approach can generate highly successful attacks for any target network with very few fine-tuning steps and thus significantly smaller number of queries (reduced by several order of magnitudes) compared to the state-of-the-art baselines.
DOI10.1109/ICDM54844.2022.00047
Citation Keymoraffah_query-efficient_2022
Groups: