TY - GEN
T1 - Query-Efficient Target-Agnostic Black-Box Attack
AU - Moraffah, Raha
AU - Liu, Huan
N1 - Funding Information:
This work is supported by Army Research Office (ARO) W911NF2110030 and Army Research Labratory (ARL) W911NF2020124. Opinions, interpretations, conclusions, and recommendations are those of the authors’ and should not be interpreted as representing the official views or policies of the Army Research Office or the Army Research Lab.
Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - Adversarial attacks have recently been proposed to scrutinize the security of deep neural networks. Most blackbox adversarial attacks, which have partial access to the target through queries, are target-specific; e.g., they require a well-trained surrogate that accurately mimics a given target. In contrast, target-agnostic black-box attacks are developed to attack any target; e.g., they learn a generalized surrogate that can adapt to any target via fine-tuning on samples queried from the target. Despite their success, current state-of-the-art target-agnostic attacks require tremendous fine-tuning steps and consequently an immense number of queries to the target to generate successful attacks. The high query complexity of these attacks makes them easily detectable and thus defendable. We propose a novel query-efficient target-agnostic attack that trains a generalized surrogate network to output the adversarial directions iv.r.t. the inputs and equip it with an effective fine-tuning strategy that only fine-tunes the surrogate when it fails to provide useful directions to generate the attacks. Particularly, we show that to effectively adapt to any target and generate successful attacks, it is sufficient to fine-tune the surrogate with informative samples that help the surrogate get out of the failure mode with additional information on the target's local behavior. Extensive experiments on CIFAR10 and CIFAR-100 datasets demonstrate that the proposed target-agnostic approach can generate highly successful attacks for any target network with very few fine-tuning steps and thus significantly smaller number of queries (reduced by several order of magnitudes) compared to the state-of-the-art baselines.
AB - Adversarial attacks have recently been proposed to scrutinize the security of deep neural networks. Most blackbox adversarial attacks, which have partial access to the target through queries, are target-specific; e.g., they require a well-trained surrogate that accurately mimics a given target. In contrast, target-agnostic black-box attacks are developed to attack any target; e.g., they learn a generalized surrogate that can adapt to any target via fine-tuning on samples queried from the target. Despite their success, current state-of-the-art target-agnostic attacks require tremendous fine-tuning steps and consequently an immense number of queries to the target to generate successful attacks. The high query complexity of these attacks makes them easily detectable and thus defendable. We propose a novel query-efficient target-agnostic attack that trains a generalized surrogate network to output the adversarial directions iv.r.t. the inputs and equip it with an effective fine-tuning strategy that only fine-tunes the surrogate when it fails to provide useful directions to generate the attacks. Particularly, we show that to effectively adapt to any target and generate successful attacks, it is sufficient to fine-tune the surrogate with informative samples that help the surrogate get out of the failure mode with additional information on the target's local behavior. Extensive experiments on CIFAR10 and CIFAR-100 datasets demonstrate that the proposed target-agnostic approach can generate highly successful attacks for any target network with very few fine-tuning steps and thus significantly smaller number of queries (reduced by several order of magnitudes) compared to the state-of-the-art baselines.
KW - Black-Box Attack
KW - DNN
KW - DNN Security.
KW - Meta-learning
KW - Output Diversifying Sampling
KW - Surrogate
KW - Target-agnostic Attack
KW - Transferability-based Attack
UR - http://www.scopus.com/inward/record.url?scp=85147734169&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85147734169&partnerID=8YFLogxK
U2 - 10.1109/ICDM54844.2022.00047
DO - 10.1109/ICDM54844.2022.00047
M3 - Conference contribution
AN - SCOPUS:85147734169
T3 - Proceedings - IEEE International Conference on Data Mining, ICDM
SP - 368
EP - 377
BT - Proceedings - 22nd IEEE International Conference on Data Mining, ICDM 2022
A2 - Zhu, Xingquan
A2 - Ranka, Sanjay
A2 - Thai, My T.
A2 - Washio, Takashi
A2 - Wu, Xindong
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 22nd IEEE International Conference on Data Mining, ICDM 2022
Y2 - 28 November 2022 through 1 December 2022
ER -