Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
166 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Latent Code Augmentation Based on Stable Diffusion for Data-free Substitute Attacks (2307.12872v2)

Published 24 Jul 2023 in cs.CV, cs.CR, and cs.LG

Abstract: Since the training data of the target model is not available in the black-box substitute attack, most recent schemes utilize GANs to generate data for training the substitute model. However, these GANs-based schemes suffer from low training efficiency as the generator needs to be retrained for each target model during the substitute training process, as well as low generation quality. To overcome these limitations, we consider utilizing the diffusion model to generate data, and propose a novel data-free substitute attack scheme based on the Stable Diffusion (SD) to improve the efficiency and accuracy of substitute training. Despite the data generated by the SD exhibiting high quality, it presents a different distribution of domains and a large variation of positive and negative samples for the target model. For this problem, we propose Latent Code Augmentation (LCA) to facilitate SD in generating data that aligns with the data distribution of the target model. Specifically, we augment the latent codes of the inferred member data with LCA and use them as guidance for SD. With the guidance of LCA, the data generated by the SD not only meets the discriminative criteria of the target model but also exhibits high diversity. By utilizing this data, it is possible to train the substitute model that closely resembles the target model more efficiently. Extensive experiments demonstrate that our LCA achieves higher attack success rates and requires fewer query budgets compared to GANs-based schemes for different target models. Our codes are available at \url{https://github.com/LzhMeng/LCA}.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (48)
  1. X. Yuan, P. He, Q. Zhu, and X. Li, “Adversarial Examples: Attacks and Defenses for Deep Learning,” IEEE Transactions on Neural Networks and Learning Systems, vol. 30, no. 9, pp. 2805–2824, Sep. 2019.
  2. Y. Dong, F. Liao, T. Pang, H. Su, J. Zhu, X. Hu, and J. Li, “Boosting adversarial attacks with momentum,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2018, pp. 9185–9193.
  3. S. M. Moosavi Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard, “Universal adversarial perturbations,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2017, pp. 1765–1773.
  4. Z. Katzir and Y. Elovici, “Gradients Cannot Be Tamed: Behind the Impossible Paradox of Blocking Targeted Adversarial Attacks,” IEEE Transactions on Neural Networks and Learning Systems, vol. 32, no. 1, pp. 128–138, Jan. 2021.
  5. K. Ren, T. Zheng, Z. Qin, and X. Liu, “Adversarial attacks and defenses in deep learning,” Engineering, vol. 6, no. 3, pp. 346–360, 2020.
  6. I. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” in International Conference on Machine Learning, 2015.
  7. A. Kurakin, I. Goodfellow, and S. Bengio, “Adversarial examples in the physical world,” in International Conference on Learning Representations, 2017.
  8. A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” in International Conference on Learning Representations, 2018.
  9. Z. Yue, Z. He, H. Zeng, and J. McAuley, “Black-box attacks on sequential recommenders via data-free model extraction,” in Proceedings of the 15th ACM Conference on Recommender Systems, 2021, pp. 44–54.
  10. Z. Cai, Y. Tan, and M. S. Asif, “Ensemble-based blackbox attacks on dense prediction,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2023.
  11. H. Huang, Z. Chen, H. Chen, Y. Wang, and K. Zhang, “T-SEA: Transfer-based self-ensemble attack on object detection,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2023.
  12. S. Kariyappa, A. Prakash, and M. K. Qureshi, “MAZE: Data-free model stealing attack using zeroth-order gradient estimation,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021, pp. 13 814–13 823.
  13. M. Zhou, J. Wu, Y. Liu, S. Liu, and C. Zhu, “DaST: Data-free substitute training for adversarial attacks,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020, pp. 234–243.
  14. W. Wang, X. Qian, Y. Fu, and X. Xue, “DST: Dynamic substitute training for data-free black-box attack,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, pp. 14 361–14 370.
  15. S. Sanyal, S. Addepalli, and R. V. Babu, “Towards data-free model stealing in a hard label setting,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, pp. 15 284–15 293.
  16. S. Yuan, Q. Zhang, L. Gao, Y. Cheng, and J. Song, “Natural color fool: Towards boosting black-box unrestricted attacks,” Advances in Neural Information Processing Systems, vol. 35, pp. 7546–7560, 2022.
  17. Y. Senzaki, S. Ohata, and K. Matsuura, “Simple black-box adversarial examples generation with very few queries,” IEICE Transactions on Information and Systems, vol. 103, no. 2, pp. 212–221, 2020.
  18. X. Li, X. Zhang, F. Yin, and C. Liu, “Decision-based adversarial attack with frequency mixup,” IEEE Transactions on Information Forensics and Security, vol. 17, pp. 1038–1052, 2022.
  19. J. Zhang, B. Li, J. Xu, S. Wu, S. Ding, L. Zhang, and C. Wu, “Towards efficient data free black-box adversarial attack,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, pp. 15 094–15 104.
  20. W. Wang, B. Yin, T. Yao, L. Zhang, Y. Fu, S. Ding, J. Li, F. Huang, and X. Xue, “Delving into data: Effectively substitute training for black-box attack,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021, pp. 4761–4770.
  21. J. Ho, A. Jain, and P. Abbeel, “Denoising diffusion probabilistic models,” arXiv preprint arXiv:2006.11239, 2020.
  22. R. Rombach, A. Blattmann, D. Lorenz, P. Esser, and B. Ommer, “High-resolution image synthesis with latent diffusion models,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022.
  23. Y. Zhu, Y. Chen, X. Li, K. Chen, Y. He, X. Tian, B. Zheng, Y. Chen, and Q. Huang, “Toward understanding and boosting adversarial transferability from a distribution perspective,” IEEE Transactions on Image Processing, vol. 31, pp. 6487–6501, 2022.
  24. P. Chen, H. Zhang, Y. Sharma, J. Yi, and C. Hsieh, “Zoo: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models,” in Proceedings of the 10th ACM workshop on Artificial Intelligence and Security, 2017, pp. 15–26.
  25. C. Hu, H. Xu, and X. Wu, “Substitute meta-learning for black-box adversarial attack,” IEEE Signal Processing Letters, vol. 29, pp. 2472–2476, 2022.
  26. L. Zhou, P. Cui, X. Zhang, Y. Jiang, and S. Yang, “Adversarial eigen attack on black-box models,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, pp. 15 254–15 262.
  27. M. Duan, Y. Qin, J. Deng, K. Li, and B. Xiao, “Dual Attention Adversarial Attacks With Limited Perturbations,” IEEE Transactions on Neural Networks and Learning Systems, pp. 1–15, 2023.
  28. Z. Li, B. Yin, T. Yao, J. Guo, S. Ding, S. Chen, and C. Liu, “Sibling-attack: Rethinking transferable adversarial attacks against face recognition,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2023.
  29. W. Cui, X. Li, J. Huang, W. Wang, S. Wang, and J. Chen, “Substitute model generation for black-box adversarial attack based on knowledge distillation,” in 2020 IEEE International Conference on Image Processing, 2020, pp. 648–652.
  30. H. Park, G. Ryu, and D. Choi, “Partial retraining substitute model for query-limited black-box attacks,” Applied Sciences, vol. 10, no. 20, p. 7168, 2020.
  31. Z. Zhu, B. Zhu, H. Zhang, Y. Geng, L. Wang, D. Zhang, and Z. Gu, “Defense against query-based black-box attack with small gaussian-noise,” in 2022 7th IEEE International Conference on Data Science in Cyberspace, 2022, pp. 249–256.
  32. G. D. E. D. C. Jamie Hayes, Luca Melis, “LOGAN: Membership inference attacks against generative models,” Proceedings on Privacy Enhancing Technologies, vol. 1, pp. 133–152, 2019.
  33. D. Chen, N. Yu, Y. Zhang, and M. Fritz, “GAN-Leaks: A taxonomy of membership inference attacks against generative models,” in Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security.   ACM, 2020.
  34. A. Salem, Y. Zhang, M. Humbert, P. Berrang, M. Fritz, and M. Backes, “ML-Leaks: Model and data independent membership inference attacks and defenses on machine learning models,” in Network and Distributed System Security Symposium, 2019.
  35. C. A. Choquette-Choo, F. Tram‘er, N. Carlini, and N. Papernot, “Label-only membership inference attacks,” in Proceedings of the 38th International Conference on Machine Learning, 2021.
  36. C. Schuhmann, R. Beaumont, R. Vencu, C. Gordon, R. Wightman, M. Cherti, T. Coombes, A. Katta, C. Mullis, M. Wortsman, P. Schramowski, S. Kundurthy, K. Crowson, L. Schmidt, R. Kaczmarczyk, and J. Jitsev, “LAION-5B: An open large-scale dataset for training next generation image-text models,” Advances in Neural Information Processing Systems, vol. 35, pp. 25 278–25 294, 2022.
  37. A. Radford, J. W. Kim, C. Hallacy, A. Ramesh, G. Goh, S. Agarwal, G. Sastry, A. Askell, P. Mishkin, J. Clark, G. Krueger, and I. Sutskever, “Learning transferable visual models from natural language supervision,” in International Conference on Machine Learning, vol. 139, 2021, pp. 8748–8763.
  38. H. Zhang, M. Cisse, Y. N. Dauphin, and D. Lopez-Paz, “MixUp: Beyond empirical risk minimization,” arXiv preprint arxiv:1710.09412, 2017.
  39. S. Yun, D. Han, S. Chun, S. J. Oh, Y. Yoo, and J. Choe, “CutMix: Regularization strategy to train strong classifiers with localizable features,” in 2019 IEEE/CVF International Conference on Computer Vision (ICCV).   IEEE, 2019, pp. 6022–6031.
  40. R. Takahashi, T. Matsubara, and K. Uehara, “Data augmentation using random image cropping and patching for deep cnns,” IEEE Transactions on Circuits and Systems for Video Technology, vol. 30, no. 9, pp. 2917–2931, Sep. 2020.
  41. D. E. Worrall, S. J. Garbin, and D. T. G. J. Brostow, “Harmonic networks: Deep translation and rotation equivariance,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2017.
  42. N. Khetan, T. Arora, S. U. Rehman, and D. K. Gupta, “Implicit equivariance in convolutional networks,” arXiv preprint arXiv:2111.14157, 2021.
  43. A. Nasiri and T. Bepler, “Unsupervised object representation learning using translation and rotation group equivariant vae,” in 36th Conference on Neural Information Processing Systems, 2022.
  44. K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2016, pp. 770–778.
  45. K. Simonyan and A. Zisserman, “Very deep convolutional networks for large-scale image recognition,” arXiv preprint arXiv:1409.1556, 2014.
  46. A. Krizhevsky, “Learning multiple layers of features from tiny images,” Master’s thesis, University of Tront, 2009.
  47. A. Coates, H. Lee, and A. Y. Ng, “An analysis of single layer networks in unsupervised feature learning,” in Proceedings of the Fourteenth International Conference on Artificial Intelligence and Statistics., 2011.
  48. O. Russakovsky, J. Deng, H. Su, J. Krause, S. Satheesh, S. Ma, Z. Huang, A. Karpathy, A. Khosla, M. Bernstein, A. C. Berg, and L. Fei-Fei, “Imagenet large scale visual recognition challenge,” International Journal of Computer Vision, vol. 115, no. 3, pp. 211–252, 2015.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Github Logo Streamline Icon: https://streamlinehq.com

GitHub

  1. GitHub - LzhMeng/LCA (1 star)