Practical Black-Box Attacks on Deep Neural Networks Using Efficient Query Mechanisms View Full Text


Ontology type: schema:Chapter     


Chapter Info

DATE

2018-10-06

AUTHORS

Arjun Nitin Bhagoji , Warren He , Bo Li , Dawn Song

ABSTRACT

Existing black-box attacks on deep neural networks (DNNs) have largely focused on transferability, where an adversarial instance generated for a locally trained model can “transfer” to attack other learning models. In this paper, we propose novel Gradient Estimation black-box attacks for adversaries with query access to the target model’s class probabilities, which do not rely on transferability. We also propose strategies to decouple the number of queries required to generate each adversarial sample from the dimensionality of the input. An iterative variant of our attack achieves close to 100% attack success rates for both targeted and untargeted attacks on DNNs. We carry out a thorough comparative evaluation of black-box attacks and show that Gradient Estimation attacks achieve attack success rates similar to state-of-the-art white-box attacks on the MNIST and CIFAR-10 datasets. We also apply the Gradient Estimation attacks successfully against real-world classifiers hosted by Clarifai. Further, we evaluate black-box attacks against state-of-the-art defenses based on adversarial training and show that the Gradient Estimation attacks are very effective even against these defenses. More... »

PAGES

158-174

Identifiers

URI

http://scigraph.springernature.com/pub.10.1007/978-3-030-01258-8_10

DOI

http://dx.doi.org/10.1007/978-3-030-01258-8_10

DIMENSIONS

https://app.dimensions.ai/details/publication/pub.1107454769


Indexing Status Check whether this publication has been indexed by Scopus and Web Of Science using the SN Indexing Status Tool
Incoming Citations Browse incoming citations for this publication using opencitations.net

JSON-LD is the canonical representation for SciGraph data.

TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

[
  {
    "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
    "about": [
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Information and Computing Sciences", 
        "type": "DefinedTerm"
      }, 
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0801", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Artificial Intelligence and Image Processing", 
        "type": "DefinedTerm"
      }
    ], 
    "author": [
      {
        "affiliation": {
          "alternateName": "Princeton University, Princeton, USA", 
          "id": "http://www.grid.ac/institutes/grid.16750.35", 
          "name": [
            "Princeton University, Princeton, USA"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Bhagoji", 
        "givenName": "Arjun Nitin", 
        "id": "sg:person.014314722116.55", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014314722116.55"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "University of California, Berkeley, Berkeley, USA", 
          "id": "http://www.grid.ac/institutes/grid.47840.3f", 
          "name": [
            "University of California, Berkeley, Berkeley, USA"
          ], 
          "type": "Organization"
        }, 
        "familyName": "He", 
        "givenName": "Warren", 
        "id": "sg:person.014411735025.19", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014411735025.19"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "University of Illinois at Urbana-Champaign, Champaign, USA", 
          "id": "http://www.grid.ac/institutes/grid.35403.31", 
          "name": [
            "University of Illinois at Urbana-Champaign, Champaign, USA"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Li", 
        "givenName": "Bo", 
        "id": "sg:person.011355161257.61", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011355161257.61"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "University of California, Berkeley, Berkeley, USA", 
          "id": "http://www.grid.ac/institutes/grid.47840.3f", 
          "name": [
            "University of California, Berkeley, Berkeley, USA"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Song", 
        "givenName": "Dawn", 
        "id": "sg:person.01143152610.86", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.01143152610.86"
        ], 
        "type": "Person"
      }
    ], 
    "datePublished": "2018-10-06", 
    "datePublishedReg": "2018-10-06", 
    "description": "Existing black-box attacks on deep neural networks (DNNs) have largely focused on transferability, where an adversarial instance generated for a locally trained model can \u201ctransfer\u201d to attack other learning models. In this paper, we propose novel Gradient Estimation black-box attacks for adversaries with query access to the target model\u2019s class probabilities, which do not rely on transferability. We also propose strategies to decouple the number of queries required to generate each adversarial sample from the dimensionality of the input. An iterative variant of our attack achieves close to 100% attack success rates for both targeted and untargeted attacks on DNNs. We carry out a thorough comparative evaluation of black-box attacks and show that Gradient Estimation attacks achieve attack success rates similar to state-of-the-art white-box attacks on the MNIST and CIFAR-10 datasets. We also apply the Gradient Estimation attacks successfully against real-world classifiers hosted by Clarifai. Further, we evaluate black-box attacks against state-of-the-art defenses based on adversarial training and show that the Gradient Estimation attacks are very effective even against these defenses.", 
    "editor": [
      {
        "familyName": "Ferrari", 
        "givenName": "Vittorio", 
        "type": "Person"
      }, 
      {
        "familyName": "Hebert", 
        "givenName": "Martial", 
        "type": "Person"
      }, 
      {
        "familyName": "Sminchisescu", 
        "givenName": "Cristian", 
        "type": "Person"
      }, 
      {
        "familyName": "Weiss", 
        "givenName": "Yair", 
        "type": "Person"
      }
    ], 
    "genre": "chapter", 
    "id": "sg:pub.10.1007/978-3-030-01258-8_10", 
    "inLanguage": "en", 
    "isAccessibleForFree": false, 
    "isPartOf": {
      "isbn": [
        "978-3-030-01257-1", 
        "978-3-030-01258-8"
      ], 
      "name": "Computer Vision \u2013 ECCV 2018", 
      "type": "Book"
    }, 
    "keywords": [
      "black-box attacks", 
      "deep neural networks", 
      "attack success rate", 
      "estimation attacks", 
      "neural network", 
      "Practical Black-Box Attacks", 
      "efficient query mechanism", 
      "class probabilities", 
      "CIFAR-10 dataset", 
      "white-box attacks", 
      "number of queries", 
      "thorough comparative evaluation", 
      "query mechanism", 
      "untargeted attacks", 
      "query access", 
      "adversarial samples", 
      "adversarial training", 
      "adversarial instances", 
      "learning model", 
      "art defenses", 
      "iterative variant", 
      "attacks", 
      "network", 
      "Clarifai", 
      "queries", 
      "MNIST", 
      "adversary", 
      "classifier", 
      "dataset", 
      "success rate", 
      "dimensionality", 
      "comparative evaluation", 
      "instances", 
      "access", 
      "model", 
      "input", 
      "transferability", 
      "training", 
      "state", 
      "probability", 
      "evaluation", 
      "number", 
      "strategies", 
      "defense", 
      "variants", 
      "mechanism", 
      "rate", 
      "samples", 
      "paper"
    ], 
    "name": "Practical Black-Box Attacks on Deep Neural Networks Using Efficient Query Mechanisms", 
    "pagination": "158-174", 
    "productId": [
      {
        "name": "dimensions_id", 
        "type": "PropertyValue", 
        "value": [
          "pub.1107454769"
        ]
      }, 
      {
        "name": "doi", 
        "type": "PropertyValue", 
        "value": [
          "10.1007/978-3-030-01258-8_10"
        ]
      }
    ], 
    "publisher": {
      "name": "Springer Nature", 
      "type": "Organisation"
    }, 
    "sameAs": [
      "https://doi.org/10.1007/978-3-030-01258-8_10", 
      "https://app.dimensions.ai/details/publication/pub.1107454769"
    ], 
    "sdDataset": "chapters", 
    "sdDatePublished": "2022-05-20T07:41", 
    "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
    "sdPublisher": {
      "name": "Springer Nature - SN SciGraph project", 
      "type": "Organization"
    }, 
    "sdSource": "s3://com-springernature-scigraph/baseset/20220519/entities/gbq_results/chapter/chapter_12.jsonl", 
    "type": "Chapter", 
    "url": "https://doi.org/10.1007/978-3-030-01258-8_10"
  }
]
 

Download the RDF metadata as:  json-ld nt turtle xml License info

HOW TO GET THIS DATA PROGRAMMATICALLY:

JSON-LD is a popular format for linked data which is fully compatible with JSON.

curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1007/978-3-030-01258-8_10'

N-Triples is a line-based linked data format ideal for batch operations.

curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1007/978-3-030-01258-8_10'

Turtle is a human-readable linked data format.

curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1007/978-3-030-01258-8_10'

RDF/XML is a standard XML format for linked data.

curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1007/978-3-030-01258-8_10'


 

This table displays all metadata directly associated to this object as RDF triples.

151 TRIPLES      23 PREDICATES      74 URIs      67 LITERALS      7 BLANK NODES

Subject Predicate Object
1 sg:pub.10.1007/978-3-030-01258-8_10 schema:about anzsrc-for:08
2 anzsrc-for:0801
3 schema:author N9d5e3dd0a3d54144805cd09d1d52ce75
4 schema:datePublished 2018-10-06
5 schema:datePublishedReg 2018-10-06
6 schema:description Existing black-box attacks on deep neural networks (DNNs) have largely focused on transferability, where an adversarial instance generated for a locally trained model can “transfer” to attack other learning models. In this paper, we propose novel Gradient Estimation black-box attacks for adversaries with query access to the target model’s class probabilities, which do not rely on transferability. We also propose strategies to decouple the number of queries required to generate each adversarial sample from the dimensionality of the input. An iterative variant of our attack achieves close to 100% attack success rates for both targeted and untargeted attacks on DNNs. We carry out a thorough comparative evaluation of black-box attacks and show that Gradient Estimation attacks achieve attack success rates similar to state-of-the-art white-box attacks on the MNIST and CIFAR-10 datasets. We also apply the Gradient Estimation attacks successfully against real-world classifiers hosted by Clarifai. Further, we evaluate black-box attacks against state-of-the-art defenses based on adversarial training and show that the Gradient Estimation attacks are very effective even against these defenses.
7 schema:editor N2533048aa649409d972e37ec10775202
8 schema:genre chapter
9 schema:inLanguage en
10 schema:isAccessibleForFree false
11 schema:isPartOf N8587484de5984c90b494b0767ff65ec5
12 schema:keywords CIFAR-10 dataset
13 Clarifai
14 MNIST
15 Practical Black-Box Attacks
16 access
17 adversarial instances
18 adversarial samples
19 adversarial training
20 adversary
21 art defenses
22 attack success rate
23 attacks
24 black-box attacks
25 class probabilities
26 classifier
27 comparative evaluation
28 dataset
29 deep neural networks
30 defense
31 dimensionality
32 efficient query mechanism
33 estimation attacks
34 evaluation
35 input
36 instances
37 iterative variant
38 learning model
39 mechanism
40 model
41 network
42 neural network
43 number
44 number of queries
45 paper
46 probability
47 queries
48 query access
49 query mechanism
50 rate
51 samples
52 state
53 strategies
54 success rate
55 thorough comparative evaluation
56 training
57 transferability
58 untargeted attacks
59 variants
60 white-box attacks
61 schema:name Practical Black-Box Attacks on Deep Neural Networks Using Efficient Query Mechanisms
62 schema:pagination 158-174
63 schema:productId N2609b14842c5427d90a0a41f2fc68969
64 Ncae3fab3dae04219ad05cd6d3eb88f9f
65 schema:publisher Ne0a62188fd5349d993647fae46b9338f
66 schema:sameAs https://app.dimensions.ai/details/publication/pub.1107454769
67 https://doi.org/10.1007/978-3-030-01258-8_10
68 schema:sdDatePublished 2022-05-20T07:41
69 schema:sdLicense https://scigraph.springernature.com/explorer/license/
70 schema:sdPublisher Neb55d98f0a024c5f854ef6201c4d83bf
71 schema:url https://doi.org/10.1007/978-3-030-01258-8_10
72 sgo:license sg:explorer/license/
73 sgo:sdDataset chapters
74 rdf:type schema:Chapter
75 N147cbef176c04fafb1ad9940877c2247 schema:familyName Sminchisescu
76 schema:givenName Cristian
77 rdf:type schema:Person
78 N1bed8a2cbeee45ce86dfc0ff295927e1 rdf:first N586d5520ffa147619ebb4371f26e28d3
79 rdf:rest rdf:nil
80 N213cb5050a2c4a658e49c0841e75a631 schema:familyName Ferrari
81 schema:givenName Vittorio
82 rdf:type schema:Person
83 N2533048aa649409d972e37ec10775202 rdf:first N213cb5050a2c4a658e49c0841e75a631
84 rdf:rest Ncdcd249436704104a15f64712f369d36
85 N2609b14842c5427d90a0a41f2fc68969 schema:name dimensions_id
86 schema:value pub.1107454769
87 rdf:type schema:PropertyValue
88 N586d5520ffa147619ebb4371f26e28d3 schema:familyName Weiss
89 schema:givenName Yair
90 rdf:type schema:Person
91 N5c2ac97e16d54cc098e3f15e82c108c7 rdf:first sg:person.014411735025.19
92 rdf:rest N90021884d3594206a6323a1c918b70f3
93 N705a260c917f4bdfb1308309894dc7a8 rdf:first N147cbef176c04fafb1ad9940877c2247
94 rdf:rest N1bed8a2cbeee45ce86dfc0ff295927e1
95 N8587484de5984c90b494b0767ff65ec5 schema:isbn 978-3-030-01257-1
96 978-3-030-01258-8
97 schema:name Computer Vision – ECCV 2018
98 rdf:type schema:Book
99 N90021884d3594206a6323a1c918b70f3 rdf:first sg:person.011355161257.61
100 rdf:rest Nf569a133300845cea27a945fdb5f1b05
101 N9b1cd51459434ed1a24315dd40ab4558 schema:familyName Hebert
102 schema:givenName Martial
103 rdf:type schema:Person
104 N9d5e3dd0a3d54144805cd09d1d52ce75 rdf:first sg:person.014314722116.55
105 rdf:rest N5c2ac97e16d54cc098e3f15e82c108c7
106 Ncae3fab3dae04219ad05cd6d3eb88f9f schema:name doi
107 schema:value 10.1007/978-3-030-01258-8_10
108 rdf:type schema:PropertyValue
109 Ncdcd249436704104a15f64712f369d36 rdf:first N9b1cd51459434ed1a24315dd40ab4558
110 rdf:rest N705a260c917f4bdfb1308309894dc7a8
111 Ne0a62188fd5349d993647fae46b9338f schema:name Springer Nature
112 rdf:type schema:Organisation
113 Neb55d98f0a024c5f854ef6201c4d83bf schema:name Springer Nature - SN SciGraph project
114 rdf:type schema:Organization
115 Nf569a133300845cea27a945fdb5f1b05 rdf:first sg:person.01143152610.86
116 rdf:rest rdf:nil
117 anzsrc-for:08 schema:inDefinedTermSet anzsrc-for:
118 schema:name Information and Computing Sciences
119 rdf:type schema:DefinedTerm
120 anzsrc-for:0801 schema:inDefinedTermSet anzsrc-for:
121 schema:name Artificial Intelligence and Image Processing
122 rdf:type schema:DefinedTerm
123 sg:person.011355161257.61 schema:affiliation grid-institutes:grid.35403.31
124 schema:familyName Li
125 schema:givenName Bo
126 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011355161257.61
127 rdf:type schema:Person
128 sg:person.01143152610.86 schema:affiliation grid-institutes:grid.47840.3f
129 schema:familyName Song
130 schema:givenName Dawn
131 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.01143152610.86
132 rdf:type schema:Person
133 sg:person.014314722116.55 schema:affiliation grid-institutes:grid.16750.35
134 schema:familyName Bhagoji
135 schema:givenName Arjun Nitin
136 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014314722116.55
137 rdf:type schema:Person
138 sg:person.014411735025.19 schema:affiliation grid-institutes:grid.47840.3f
139 schema:familyName He
140 schema:givenName Warren
141 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014411735025.19
142 rdf:type schema:Person
143 grid-institutes:grid.16750.35 schema:alternateName Princeton University, Princeton, USA
144 schema:name Princeton University, Princeton, USA
145 rdf:type schema:Organization
146 grid-institutes:grid.35403.31 schema:alternateName University of Illinois at Urbana-Champaign, Champaign, USA
147 schema:name University of Illinois at Urbana-Champaign, Champaign, USA
148 rdf:type schema:Organization
149 grid-institutes:grid.47840.3f schema:alternateName University of California, Berkeley, Berkeley, USA
150 schema:name University of California, Berkeley, Berkeley, USA
151 rdf:type schema:Organization
 




Preview window. Press ESC to close (or click here)


...