GenAttack: practical black-box attacks with gradient-free optimization

@article{Alzantot2019GenAttackPB,
  title={GenAttack: practical black-box attacks with gradient-free optimization},
  author={Moustafa Alzantot and Yash Sharma and Supriyo Chakraborty and Mani B. Srivastava},
  journal={Proceedings of the Genetic and Evolutionary Computation Conference},
  year={2019}
}
Deep neural networks are vulnerable to adversarial examples, even in the black-box setting, where the attacker is restricted solely to query access. Existing black-box approaches to generating adversarial examples typically require a significant number of queries, either for training a substitute network or performing gradient estimation. We introduce GenAttack, a gradient-free optimization technique that uses genetic algorithms for synthesizing adversarial examples in the black-box setting… Expand
EvoBA: An Evolution Strategy as a Strong Baseline forBlack-Box Adversarial Attacks
TLDR
EvoBA is proposed as a query-efficient L0 black-box adversarial attack which, together with the aforementioned methods, can serve as a generic tool to assess the empirical robustness of image classifiers. Expand
They Might NOT Be Giants Crafting Black-Box Adversarial Examples Using Particle Swarm Optimization
TLDR
AdversarialPSO is a black-box attack that uses few queries to create adversarial examples with high success rates, based on Particle Swarm Optimization, a gradient-free evolutionary search algorithm, with special adaptations to make it effective for the black- box setting. Expand
An Empirical Study of Derivative-Free-Optimization Algorithms for Targeted Black-Box Attacks in Deep Neural Networks
We perform a comprehensive study on the performance of derivative free optimization (DFO) algorithms for the generation of targeted black-box adversarial attacks on Deep Neural Network (DNN)Expand
A Black-box Adversarial Attack Strategy with Adjustable Sparsity and Generalizability for Deep Image Classifiers
TLDR
The proposed DEceit algorithm for constructing effective universal pixel-restricted perturbations using only black-box feedback from the target network achieves a commendable and highly transferable Fooling Rate while retaining the visual quality. Expand
A Model-Based Derivative-Free Approach to Black-Box Adversarial Examples: BOBYQA
TLDR
It is demonstrated that model-based derivative free optimisation algorithms can generate adversarial targeted misclassification of deep networks using fewer network queries than non-model-based methods, and the proposed BOBYQA based method achieves state-of-the-art results. Expand
Black-box adversarial attacks using evolution strategies
TLDR
The results show that the attacked neural networks can be, in most cases, easily fooled by all the algorithms under comparison, and show that some black-box optimization algorithms may be better in "harder" setups, both in terms of attack success rate and efficiency. Expand
They Might NOT Be Giants: Crafting Black-Box Adversarial Examples with Fewer Queries Using Particle Swarm Optimization
TLDR
AdversarialPSO is a black-box attack that uses fewer queries to create adversarial examples with high success rates, based on the evolutionary search algorithm Particle Swarm Optimization, a populationbased gradient-free optimization algorithm. Expand
MGAAttack: Toward More Query-efficient Black-box Attack by Microbial Genetic Algorithm
TLDR
This work proposes a novel attack, called MGAAttack, which is a query-efficient and gradient-free black-box attack without obtaining any knowledge of the target model, and solves a discretized problem by using a simple yet effective microbial genetic algorithm (MGA). Expand
Man-in-the-Middle Attacks Against Machine Learning Classifiers Via Malicious Generative Models
TLDR
This work explores vulnerabilities of DNN models under the umbrella of Man-in-the-Middle (MitM) attacks, which has not been investigated before, and investigates using a VAE decoder to either transform benign inputs to their adversarial counterparts or decode outputs from benign VAE encoders to be adversarial examples. Expand
Hybrid Batch Attacks: Finding Black-box Adversarial Examples with Limited Queries
TLDR
This work proposes hybrid attacks that combine both strategies, using candidate adversarial examples from local models as starting points for optimization- based attacks and using labels learned in optimization-based attacks to tune local models for finding transfer candidates. Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 45 REFERENCES
Black-box Adversarial Attacks with Limited Queries and Information
TLDR
This work defines three realistic threat models that more accurately characterize many real-world classifiers: the query-limited setting, the partial-information setting, and the label-only setting and develops new attacks that fool classifiers under these more restrictive threat models. Expand
AutoZOOM: Autoencoder-based Zeroth Order Optimization Method for Attacking Black-box Neural Networks
TLDR
Experimental results suggest that, by applying AutoZOOM to a state-of-the-art black-box attack (ZOO), a significant reduction in model queries can be achieved without sacrificing the attack success rate and the visual quality of the resulting adversarial examples. Expand
ZOO: Zeroth Order Optimization Based Black-box Attacks to Deep Neural Networks without Training Substitute Models
TLDR
An effective black-box attack that also only has access to the input (images) and the output (confidence scores) of a targeted DNN is proposed, sparing the need for training substitute models and avoiding the loss in attack transferability. Expand
Practical Black-Box Attacks against Machine Learning
TLDR
This work introduces the first practical demonstration of an attacker controlling a remotely hosted DNN with no such knowledge, and finds that this black-box attack strategy is capable of evading defense strategies previously found to make adversarial example crafting harder. Expand
Towards Deep Neural Network Architectures Robust to Adversarial Examples
TLDR
Deep Contractive Network is proposed, a model with a new end-to-end training procedure that includes a smoothness penalty inspired by the contractive autoencoder (CAE) to increase the network robustness to adversarial examples, without a significant performance penalty. Expand
EAD: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples
TLDR
Elastic-net attacks to DNNs (EAD) feature $L_1$-oriented adversarial examples and include the state-of-the-art$L_2$ attack as a special case, suggesting novel insights on leveraging $L-1$ distortion in adversarial machine learning and security implications ofDNNs. Expand
Towards Deep Learning Models Resistant to Adversarial Attacks
TLDR
This work studies the adversarial robustness of neural networks through the lens of robust optimization, and suggests the notion of security against a first-order adversary as a natural and broad security guarantee. Expand
Ensemble Adversarial Training: Attacks and Defenses
TLDR
This work finds that adversarial training remains vulnerable to black-box attacks, where perturbations computed on undefended models are transferred to a powerful novel single-step attack that escapes the non-smooth vicinity of the input data via a small random step. Expand
Delving into Transferable Adversarial Examples and Black-box Attacks
TLDR
This work is the first to conduct an extensive study of the transferability over large models and a large scale dataset, and it is also theFirst to study the transferabilities of targeted adversarial examples with their target labels. Expand
The Limitations of Adversarial Training and the Blind-Spot Attack
TLDR
It is shown that the effectiveness of adversarial training has a strong correlation with the distance between a test point and the manifold of training data embedded by the network, and blind-spots also exist on provable defenses including (Wong & Kolter, 2018) and (Sinha et al., 2018). Expand
...
1
2
3
4
5
...