Loading [MathJax]/extensions/MathMenu.js
SAGE: Steering the Adversarial Generation of Examples With Accelerations | IEEE Journals & Magazine | IEEE Xplore
Subscribe
ADVANCED SEARCH
Journals & Magazines >IEEE Transactions on Informat... >Volume: 18

SAGE: Steering the Adversarial Generation of Examples With Accelerations

PDF
Ziming Zhao; Zhaoxuan Li; Fan Zhang; Ziqi Yang; Shuang Luo; Tingting Li
All Authors

Abstract:

To generate image adversarial examples, state-of-the-art black-box attacks usually require thousands of queries. However, massive queries will introduce additional costs ...Show More

Metadata

Abstract:

To generate image adversarial examples, state-of-the-art black-box attacks usually require thousands of queries. However, massive queries will introduce additional costs and exposure risks in the real world. Towards improving the attack efficiency, we carefully design an acceleration framework SAGE for existing black-box methods, which is composed of sLocator (initial point optimization) and sRudder (search process optimization). The core idea of SAGE in terms of 1) saliency map can guide the perturbations towards the most adversarial direction and 2) exploiting bounding box (bbox) to capture those salient pixels in the black-box attack. Meanwhile, we provide a series of observations and experiments that demonstrate bbox holds model invariance and process invariance. We extensively evaluate SAGE on four state-of-the-art black-box attacks involving three popular datasets (MNIST, CIFAR10, and ImageNet). The results show that SAGE could present fundamental improvements even against robust models that use adversarial training. Specifically, SAGE could reduce >20% of queries and improve the success rate of attacks to 95%~100%. Compared with the other acceleration framework, SAGE fulfills the more significant effect in a flexible, stable, and low-overhead manner. Moreover, our practical evaluation (Google Cloud Vision API) shows SAGE can be applied to real-world scenarios.
Published in: IEEE Transactions on Information Forensics and Security ( Volume: 18)
Page(s): 789 - 803
Date of Publication: 02 February 2023

ISSN Information:

DOI: 10.1109/TIFS.2022.3226572

Funding Agency:

References is not available for this document.
Contents

I. Introduction

Deep Neural Networks (DNNs) are becoming ubiquitous in security-critical applications to deliver automated decisions such as face recognition, self-driving cars, malware detection, etc [47], [48], [50]. Subsequently, several security concerns have emerged regarding the potential vulnerabilities of the DNN algorithm itself [2]. Particularly, adversaries can deliberately craft special inputs, named adversarial examples (AEs), leading models to produce an output for their malicious intentions, such as misclassification.

Select All
1.
A. Al-Dujaili and U.-M. O’Reilly, "There are no bit parts for sign bits in black-box attacks", CoRR, vol. abs/1902.06894, pp. 1-25, May 2019.
Google Scholar
2.
L. Amsaleg et al., "High intrinsic dimensionality facilitates adversarial attack: Theoretical evidence", IEEE Trans. Inf. Forensics Security, vol. 16, pp. 854-865, 2021.
View Article
Google Scholar
3.
A. N. Bhagoji, W. He, B. Li and D. Song, "Exploring the space of black-box attacks on deep neural networks", CoRR, vol. abs/1712.09491, pp. 1-25, May 2017.
Google Scholar
4.
B. Bonnet, T. Furon and P. Bas, "Generating adversarial images in quantized domains", IEEE Trans. Inf. Forensics Security, vol. 17, pp. 373-385, 2022.
View Article
Google Scholar
5.
W. Brendel, J. Rauber and M. Bethge, "Decision-based adversarial attacks: Reliable attacks against black-box machine learning models", Proc. ICLR, pp. 1-12, 2018.
Google Scholar
6.
T. Brunner, F. Diehl, M. T. Le and A. Knoll, "Guessing smart: Biased sampling for efficient black-box adversarial attacks", Proc. IEEE/CVF Int. Conf. Comput. Vis. (ICCV), pp. 4957-4965, Oct. 2019.
View Article
Google Scholar
7.
Y. Cao et al., "Adversarial sensor attack on LiDAR-based perception in autonomous driving", Proc. CCS, pp. 2267-2281, 2019.
CrossRef Google Scholar
8.
N. Carlini and D. Wagner, "Towards evaluating the robustness of neural networks", Proc. IEEE Symp. Secur. Privacy (SP), pp. 39-57, May 2017.
View Article
Google Scholar
9.
J. Chen, M. I. Jordan and M. J. Wainwright, "HopSkipJumpAttack: A query-efficient decision-based attack", Proc. IEEE Symp. Secur. Privacy (SP), pp. 1277-1294, May 2020.
View Article
Google Scholar
10.
P.-Y. Chen, H. Zhang, Y. Sharma, J. Yi and C.-J. Hsieh, "ZOO: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models", Proc. 10th ACM Workshop Artif. Intell. Secur., pp. 15-26, Nov. 2017.
CrossRef Google Scholar
11.
S. Cheng, Y. Dong, T. Pang, H. Su and J. Zhu, "Improving black-box adversarial attacks with a transfer-based prior", Proc. NeurIPS, pp. 10932-10942, 2019.
Google Scholar
12.
G. Cloud, Google Vision API, Apr. 2021, [online] Available: https://cloud.google.com/vision/docs/drag-and-drop.
Google Scholar
13.
A. Demontis et al., "Why do adversarial attacks transfer? Explaining transferability of evasion and poisoning attacks", Proc. USENIX Secur. Symp., pp. 321-338, 2019.
Google Scholar
14.
S. Garg, V. Sharan, B. H. Zhang and G. Valiant, "A spectral view of adversarially robust features", Proc. NeurIPS, pp. 10159-10169, 2018.
Google Scholar
15.
J. Gilmer, N. Ford, N. Carlini and D. E. Cubuk, "Adversarial examples are a natural consequence of test error in noise", Proc. ICML, vol. 97, pp. 2280-2289, 2019.
Google Scholar
16.
J. Ian Goodfellow, J. Shlens and C. Szegedy, "Explaining and harnessing adversarial examples", Proc. ICLR, pp. 1-11, 2015.
Google Scholar
17.
C. Guo, R. J. Gardner, Y. You, A. G. Wilson and Q. K. Weinberger, "Simple black-box adversarial attacks", Proc. ICML, vol. 97, pp. 2484-2493, 2019.
Google Scholar
18.
G. Huang, Z. Liu, L. Van Der Maaten and K. Q. Weinberger, "Densely connected convolutional networks", Proc. IEEE Conf. Comput. Vis. Pattern Recognit. (CVPR), pp. 2261-2269, Jul. 2017.
View Article
Google Scholar
19.
A. Ilyas, L. Engstrom, A. Athalye and J. Lin, "Black-box adversarial attacks with limited queries and information", Proc. Int. Conf. Mach. Learn., vol. 80, pp. 2142-2151, 2018.
Google Scholar
20.
A. Ilyas, L. Engstrom and A. Madry, "Prior convictions: Black-box adversarial attacks with bandits and priors", Proc. ICLR, pp. 1-25, 2019.
Google Scholar
21.
A. Ilyas, S. Santurkar, D. Tsipras, L. Engstrom, B. Tran and A. Madry, "Adversarial examples are not bugs they are features", Proc. NeurIPS, pp. 125-136, 2019.
Google Scholar
22.
Imagenet Large Scale Visual Recognition Challenge 2012 (ILSVRC2012), Apr. 2021, [online] Available: https://image-net.org/challenges/LSVRC/2012/2012-downloads.
Google Scholar
23.
J. Kim, B. Lee and Y. M. Ro, "Distilling robust and non-robust features in adversarial examples by information bottleneck", Proc. NeurIPS, pp. 17148-17159, 2021.
Google Scholar
24.
A. Krizhevsky and G. Hinton, "Learning multiple layers of features from tiny images", vol. 1, no. 4, pp. 1-60, 2009.
Google Scholar
25.
L. Pengcheng, J. Yi and L. Zhang, "Query-efficient black-box attack by active learning", Proc. IEEE Int. Conf. Data Mining (ICDM), pp. 1200-1205, Nov. 2018.
View Article
Google Scholar
26.
S. Li et al., "Stealthy adversarial perturbations against real-time video classification systems", Proc. NDSS, pp. 1-15, 2019.
CrossRef Google Scholar
27.
K. Liang, Y. J. Zhang, B. Wang, Z. Yang, S. Koyejo and B. Li, "Uncovering the connections between adversarial transferability and knowledge transferability", Proc. ICML, vol. 139, pp. 6577-6587, 2021.
Google Scholar
28.
X. Ling et al., "DEEPSEC: A uniform platform for security analysis of deep learning model", Proc. IEEE Symp. Secur. Privacy, pp. 673-690, Sep. 2019.
View Article
Google Scholar
29.
Y. Liu, X. Chen, C. Liu and D. Song, "Delving into transferable adversarial examples and black-box attacks", Proc. ICLR, pp. 1-14, 2017.
Google Scholar
30.
B. Luo, Y. Liu, L. Wei and Q. Xu, "Towards imperceptible and robust adversarial example attacks against neural networks", Proc. AAAI, pp. 1652-1659, 2018.
CrossRef Google Scholar

Contact IEEE to Subscribe
More Like This
Internet of Things in Sport Training: Application of a Rowing Propulsion Monitoring System

IEEE Internet of Things Journal

Published: 2022

Training programs for excellent engineers with engineering of Internet of Thing

2011 IEEE International Symposium on IT in Medicine and Education

Published: 2011

Show More

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.