Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
139 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Your Attack Is Too DUMB: Formalizing Attacker Scenarios for Adversarial Transferability (2306.15363v1)

Published 27 Jun 2023 in cs.CR and cs.LG

Abstract: Evasion attacks are a threat to machine learning models, where adversaries attempt to affect classifiers by injecting malicious samples. An alarming side-effect of evasion attacks is their ability to transfer among different models: this property is called transferability. Therefore, an attacker can produce adversarial samples on a custom model (surrogate) to conduct the attack on a victim's organization later. Although literature widely discusses how adversaries can transfer their attacks, their experimental settings are limited and far from reality. For instance, many experiments consider both attacker and defender sharing the same dataset, balance level (i.e., how the ground truth is distributed), and model architecture. In this work, we propose the DUMB attacker model. This framework allows analyzing if evasion attacks fail to transfer when the training conditions of surrogate and victim models differ. DUMB considers the following conditions: Dataset soUrces, Model architecture, and the Balance of the ground truth. We then propose a novel testbed to evaluate many state-of-the-art evasion attacks with DUMB; the testbed consists of three computer vision tasks with two distinct datasets each, four types of balance levels, and three model architectures. Our analysis, which generated 13K tests over 14 distinct attacks, led to numerous novel findings in the scope of transferable attacks with surrogate models. In particular, mismatches between attackers and victims in terms of dataset source, balance levels, and model architecture lead to non-negligible loss of attack performance.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (34)
  1. Square attack: a query-efficient black-box adversarial attack via random search. In Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part XXIII. Springer, 484–501.
  2. ” Real Attackers Don’t Compute Gradients”: Bridging the Gap Between Adversarial ML Research and Practice. arXiv preprint arXiv:2212.14315 (2022).
  3. Giovanni Apruzzese and Michele Colajanni. 2018. Evading botnet detectors based on flows and random forest with adversarial samples. In 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA). IEEE, 1–8.
  4. Can Machine Learning Be Secure?. In Proceedings of the 2006 ACM Symposium on Information, computer and communications security (Taipei, Taiwan) (ASIACCS ’06). Association for Computing Machinery, New York, NY, USA, 16–25.
  5. SMOTE: synthetic minority over-sampling technique. Journal of artificial intelligence research 16 (2002), 321–357.
  6. Captcha Attack: Turning Captchas Against Humanity. arXiv preprint arXiv:2201.04014 (2022).
  7. Automated hate speech detection and the problem of offensive language. In Proceedings of the international AAAI conference on web and social media, Vol. 11. 512–515.
  8. Why do adversarial attacks transfer? explaining transferability of evasion and poisoning attacks. In 28th USENIX security symposium. USENIX Association, 321–338.
  9. Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks. 4307–4316. https://doi.org/10.1109/CVPR.2019.00444
  10. Synthetic data augmentation using GAN for improved liver lesion classification. In 2018 IEEE 15th international symposium on biomedical imaging (ISBI 2018). IEEE, 289–293.
  11. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).
  12. All you need is” love” evading hate speech detection. In Proceedings of the 11th ACM workshop on artificial intelligence and security. 2–12.
  13. ” Why do so?”–A Practical Perspective on Machine Learning Security. arXiv preprint arXiv:2207.05164 (2022).
  14. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition. 770–778.
  15. Hoki Kim. 2020. Torchattacks: A pytorch repository for adversarial attacks. arXiv preprint arXiv:2010.01950 (2020).
  16. Alex Krizhevsky. 2014. One weird trick for parallelizing convolutional neural networks. arXiv preprint arXiv:1404.5997 (2014).
  17. Adversarial examples in the physical world. In Artificial intelligence safety and security. Chapman and Hall/CRC, 99–112.
  18. A new generation of perspective api: Efficient multilingual character-level transformers. arXiv preprint arXiv:2202.11176 (2022).
  19. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017).
  20. Transfer Attacks Revisited: A Large-Scale Empirical Study in Real Computer Vision Settings. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 1423–1439.
  21. Deepfool: a simple and accurate method to fool deep neural networks. In Proceedings of the IEEE conference on computer vision and pattern recognition. 2574–2582.
  22. Cross-domain transferability of adversarial perturbations. Advances in Neural Information Processing Systems 32 (2019).
  23. Luca Pajola and Mauro Conti. 2021. Fall of Giants: How popular text-based MLaaS fall against a simple evasion attack. In 2021 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 198–211.
  24. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277 (2016).
  25. TESSERACT: Eliminating experimental bias in malware classification across space and time. In Proceedings of the 28th USENIX Security Symposium. USENIX Association, 729–746.
  26. Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014).
  27. When Does Machine Learning FAIL? Generalized Transferability for Evasion and Poisoning Attacks. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, 1299–1316.
  28. Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204 (2017).
  29. Multi-expert adversarial attack detection in person re-identification using context inconsistency. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 15097–15107.
  30. {{\{{DnD}}\}}: A {{\{{Cross-Architecture}}\}} Deep Neural Network Decompiler. In 31st USENIX Security Symposium (USENIX Security 22). 2135–2152.
  31. Seeing is Not Believing: Camouflage Attacks on Image Scaling Algorithms.. In USENIX Security Symposium. 443–460.
  32. Security risks in deep learning implementations. In 2018 IEEE Security and privacy workshops (SPW). IEEE, 123–128.
  33. Stealthy porn: Understanding real-world adversarial images for illicit online promotion. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 952–966.
  34. Towards efficient data free black-box adversarial attack. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 15115–15125.
Citations (5)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now