Name
Abstract | ||
|---|---|---|
We investigate how an adversary can optimally use its query budget for targeted evasion attacks against deep neural networks in a black-box setting. We formalize the problem setting and systematically evaluate what benefits the adversary can gain by using substitute models. We show that there is an exploration-exploitation tradeoff in that query efficiency comes at the cost of effectiveness. We present two new attack strategies for using substitute models and show that they are as effective as previous "query-only'' techniques but require significantly fewer queries, by up to three orders of magnitude. We also show that an agile adversary capable of switching through different attack techniques can achieve pareto-optimal efficiency. We demonstrate our attack against Google Cloud Vision showing that the difficulty of targeted black-box attacks against real-world prediction APIs is significantly easier than previously thought (requiring ≈500 queries instead of ≈20,000 as in previous work).
|
Year | DOI | Venue |
|---|---|---|
2019 | 10.1145/3338501.3357366 | Proceedings of the 12th ACM Workshop on Artificial Intelligence and Security |
Keywords | DocType | Volume |
adversarial example, neural networks | Conference | abs/1906.03397 |
ISBN | Citations | PageRank |
978-1-4503-6833-9 | 0 | 0.34 |
References | Authors | |
26 | 3 | |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Mika Juuti | 1 | 62 | 5.34 |
| Buse Gul Atli | 2 | 1 | 1.02 |
| N. Asokan | 3 | 2889 | 211.44 |