Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
167 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Transferability Ranking of Adversarial Examples (2208.10878v2)

Published 23 Aug 2022 in cs.LG and cs.CR

Abstract: Adversarial transferability in black-box scenarios presents a unique challenge: while attackers can employ surrogate models to craft adversarial examples, they lack assurance on whether these examples will successfully compromise the target model. Until now, the prevalent method to ascertain success has been trial and error-testing crafted samples directly on the victim model. This approach, however, risks detection with every attempt, forcing attackers to either perfect their first try or face exposure. Our paper introduces a ranking strategy that refines the transfer attack process, enabling the attacker to estimate the likelihood of success without repeated trials on the victim's system. By leveraging a set of diverse surrogate models, our method can predict transferability of adversarial examples. This strategy can be used to either select the best sample to use in an attack or the best perturbation to apply to a specific sample. Using our strategy, we were able to raise the transferability of adversarial examples from a mere 20% - akin to random selection-up to near upper-bound levels, with some scenarios even witnessing a 100% success rate. This substantial improvement not only sheds light on the shared susceptibilities across diverse architectures but also demonstrates that attackers can forego the detectable trial-and-error tactics raising increasing the threat of surrogate-based attacks.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (33)
  1. Samet Akcay and Toby Breckon. 2022. Towards automatic threat detection: A survey of advances of deep learning within X-ray security imaging. Pattern Recognition 122 (2022), 108245.
  2. Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp). Ieee, 39–57.
  3. Francesco Croce and Matthias Hein. 2020. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In International conference on machine learning. PMLR, 2206–2216.
  4. Why do adversarial attacks transfer? explaining transferability of evasion and poisoning attacks. In 28th USENIX security symposium (USENIX security 19). 321–338.
  5. Imagenet: A large-scale hierarchical image database. In 2009 IEEE conference on computer vision and pattern recognition. Ieee, 248–255.
  6. Boosting adversarial attacks with momentum. In Proceedings of the IEEE conference on computer vision and pattern recognition. 9185–9193.
  7. Evading defenses to transferable adversarial examples by translation-invariant attacks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 4312–4321.
  8. Explaining and Harnessing Adversarial Examples. In International Conference on Learning Representations. http://arxiv.org/abs/1412.6572
  9. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).
  10. Adversarial examples for malware detection. In European symposium on research in computer security. Springer, 62–79.
  11. Countering Adversarial Images using Input Transformations. In International Conference on Learning Representations.
  12. Universal adversarial attacks on deep neural networks for medical image classification. BMC medical imaging 21, 1 (2021), 1–13.
  13. The relative performance of ensemble methods with deep convolutional neural networks for image classification. Journal of Applied Statistics 45, 15 (2018), 2800–2818.
  14. Ziv Katzir and Yuval Elovici. 2021. Who’s Afraid of Adversarial Transferability? arXiv preprint arXiv:2105.00433 (2021).
  15. The Security of Deep Learning Defences for Medical Imaging. arXiv preprint arXiv:2201.08661 (2022).
  16. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017).
  17. Towards Deep Learning Models Resistant to Adversarial Attacks. In International Conference on Learning Representations.
  18. Samaneh Mahdavifar and Ali A Ghorbani. 2019. Application of deep learning to cybersecurity: A survey. Neurocomputing 347 (2019), 149–176.
  19. Preetum Nakkiran. 2019. A Discussion of ’Adversarial Examples Are Not Bugs, They Are Features’: Adversarial Examples are Just Bugs, Too. Distill (2019). https://doi.org/10.23915/distill.00019.5 https://distill.pub/2019/advex-bugs-discussion/response-5.
  20. Cross-domain transferability of adversarial perturbations. Advances in Neural Information Processing Systems 32 (2019).
  21. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277 (2016).
  22. A Little Robustness Goes a Long Way: Leveraging Robust Features for Targeted Transfer Attacks. In NeurIPS.
  23. Intriguing properties of neural networks. In 2nd International Conference on Learning Representations, ICLR 2014.
  24. On adaptive attacks to adversarial example defenses. Advances in neural information processing systems 33 (2020), 1633–1645.
  25. The space of transferable adversarial examples. arXiv preprint arXiv:1704.03453 (2017).
  26. Generating Adversarial Examples with Controllable Non-transferability. arXiv preprint arXiv:2007.01299 (2020).
  27. Admix: Enhancing the transferability of adversarial attacks. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 16158–16167.
  28. ResNet strikes back: An improved training procedure in timm. In NeurIPS 2021 Workshop on ImageNet: Past, Present, and Future. https://openreview.net/forum?id=NG6MJnVl6M5
  29. Adversarial examples for semantic segmentation and object detection. In Proceedings of the IEEE international conference on computer vision. 1369–1378.
  30. Improving transferability of adversarial examples with input diversity. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2730–2739.
  31. Dast: Data-free substitute training for adversarial attacks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 234–243.
  32. Rethinking Adversarial Transferability from a Data Distribution Perspective. In International Conference on Learning Representations.
  33. Selection of source images heavily influences the effectiveness of adversarial attacks. In BMVC, the 32nd British Machine Vision Conference, Proceedings (Online). 15. {https://www.bmvc2021-virtualconference.com/programme/accepted-papers/}

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now