Accelerate Black-Box Attack with White-Box Prior Knowledge

Jinghui Cai; Boyang Wang; Xiangfeng Wang; Bo Jin

doi:10.1007/978-3-030-36204-1_33

Accelerate Black-Box Attack with White-Box Prior Knowledge

Jinghui Cai
, Boyang Wang
, Xiangfeng Wang^*
, Bo Jin

^*Corresponding author for this work

School of Computer Science and Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

3 Scopus citations

Abstract

We propose an efficient adversarial attack method in the black-box setting. Our Multi-model Efficient Query Attack (MEQA) method takes advantage of the prior knowledge on different models’ relationship to guide the construction of black-box adversarial instances. The MEQA method employs several gradients from different white-box attack models and further the “best” one is selected to replace the gradient of black-box model in each step. The gradient composed by different model gradients will lead a significant loss to the black-box model on these adversarial pictures and then cause misclassification. Our key motivation is to estimate the black-box model with several existing white-box models, which can significantly increase the efficiency from the perspectives of both query sampling and calculating. Compared with gradient estimation based black-box adversarial attack methods, our MEQA method reduces the number of queries from 10000 to 40, which greatly accelerates the black-box adversarial attack. Compared with the zero query black-box adversarial attack method, which also called transfer attack method, MEQA boosts the attack success rate by 30%. We evaluate our method on several black-box models and achieve remarkable performance which proves that MEQA can serve as a baseline method for fast and effective black-box adversarial attacks.

Original language	English
Title of host publication	Intelligence Science and Big Data Engineering. Big Data and Machine Learning - 9th International Conference, IScIDE 2019, Proceedings, Part 2
Editors	Zhen Cui, Jinshan Pan, Shanshan Zhang, Liang Xiao, Jian Yang
Publisher	Springer
Pages	394-405
Number of pages	12
ISBN (Print)	9783030362034
DOIs	https://doi.org/10.1007/978-3-030-36204-1_33
State	Published - 2019
Event	9th International Conference on Intelligence Science and Big Data Engineering, IScIDE 2019 - Nanjing, China Duration: 17 Oct 2019 → 20 Oct 2019

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	11936 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	9th International Conference on Intelligence Science and Big Data Engineering, IScIDE 2019
Country/Territory	China
City	Nanjing
Period	17/10/19 → 20/10/19

Keywords

Efficient black-box attack
Gradient estimation
Model robustness
Transfer attack

Access to Document

10.1007/978-3-030-36204-1_33

Cite this

Cai, J., Wang, B., Wang, X., & Jin, B. (2019). Accelerate Black-Box Attack with White-Box Prior Knowledge. In Z. Cui, J. Pan, S. Zhang, L. Xiao, & J. Yang (Eds.), Intelligence Science and Big Data Engineering. Big Data and Machine Learning - 9th International Conference, IScIDE 2019, Proceedings, Part 2 (pp. 394-405). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11936 LNCS). Springer. https://doi.org/10.1007/978-3-030-36204-1_33

Cai, Jinghui ; Wang, Boyang ; Wang, Xiangfeng et al. / Accelerate Black-Box Attack with White-Box Prior Knowledge. Intelligence Science and Big Data Engineering. Big Data and Machine Learning - 9th International Conference, IScIDE 2019, Proceedings, Part 2. editor / Zhen Cui ; Jinshan Pan ; Shanshan Zhang ; Liang Xiao ; Jian Yang. Springer, 2019. pp. 394-405 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{6ad5c8cb650840bbb5cd620231847247,

title = "Accelerate Black-Box Attack with White-Box Prior Knowledge",

abstract = "We propose an efficient adversarial attack method in the black-box setting. Our Multi-model Efficient Query Attack (MEQA) method takes advantage of the prior knowledge on different models{\textquoteright} relationship to guide the construction of black-box adversarial instances. The MEQA method employs several gradients from different white-box attack models and further the “best” one is selected to replace the gradient of black-box model in each step. The gradient composed by different model gradients will lead a significant loss to the black-box model on these adversarial pictures and then cause misclassification. Our key motivation is to estimate the black-box model with several existing white-box models, which can significantly increase the efficiency from the perspectives of both query sampling and calculating. Compared with gradient estimation based black-box adversarial attack methods, our MEQA method reduces the number of queries from 10000 to 40, which greatly accelerates the black-box adversarial attack. Compared with the zero query black-box adversarial attack method, which also called transfer attack method, MEQA boosts the attack success rate by 30\%. We evaluate our method on several black-box models and achieve remarkable performance which proves that MEQA can serve as a baseline method for fast and effective black-box adversarial attacks.",

keywords = "Efficient black-box attack, Gradient estimation, Model robustness, Transfer attack",

author = "Jinghui Cai and Boyang Wang and Xiangfeng Wang and Bo Jin",

note = "Publisher Copyright: {\textcopyright} 2019, Springer Nature Switzerland AG.; 9th International Conference on Intelligence Science and Big Data Engineering, IScIDE 2019 ; Conference date: 17-10-2019 Through 20-10-2019",

year = "2019",

doi = "10.1007/978-3-030-36204-1\_33",

language = "英语",

isbn = "9783030362034",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "394--405",

editor = "Zhen Cui and Jinshan Pan and Shanshan Zhang and Liang Xiao and Jian Yang",

booktitle = "Intelligence Science and Big Data Engineering. Big Data and Machine Learning - 9th International Conference, IScIDE 2019, Proceedings, Part 2",

address = "德国",

}

Cai, J, Wang, B, Wang, X & Jin, B 2019, Accelerate Black-Box Attack with White-Box Prior Knowledge. in Z Cui, J Pan, S Zhang, L Xiao & J Yang (eds), Intelligence Science and Big Data Engineering. Big Data and Machine Learning - 9th International Conference, IScIDE 2019, Proceedings, Part 2. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11936 LNCS, Springer, pp. 394-405, 9th International Conference on Intelligence Science and Big Data Engineering, IScIDE 2019, Nanjing, China, 17/10/19. https://doi.org/10.1007/978-3-030-36204-1_33

Accelerate Black-Box Attack with White-Box Prior Knowledge. / Cai, Jinghui; Wang, Boyang; Wang, Xiangfeng et al.
Intelligence Science and Big Data Engineering. Big Data and Machine Learning - 9th International Conference, IScIDE 2019, Proceedings, Part 2. ed. / Zhen Cui; Jinshan Pan; Shanshan Zhang; Liang Xiao; Jian Yang. Springer, 2019. p. 394-405 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11936 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Accelerate Black-Box Attack with White-Box Prior Knowledge

AU - Cai, Jinghui

AU - Wang, Boyang

AU - Wang, Xiangfeng

AU - Jin, Bo

PY - 2019

Y1 - 2019

N2 - We propose an efficient adversarial attack method in the black-box setting. Our Multi-model Efficient Query Attack (MEQA) method takes advantage of the prior knowledge on different models’ relationship to guide the construction of black-box adversarial instances. The MEQA method employs several gradients from different white-box attack models and further the “best” one is selected to replace the gradient of black-box model in each step. The gradient composed by different model gradients will lead a significant loss to the black-box model on these adversarial pictures and then cause misclassification. Our key motivation is to estimate the black-box model with several existing white-box models, which can significantly increase the efficiency from the perspectives of both query sampling and calculating. Compared with gradient estimation based black-box adversarial attack methods, our MEQA method reduces the number of queries from 10000 to 40, which greatly accelerates the black-box adversarial attack. Compared with the zero query black-box adversarial attack method, which also called transfer attack method, MEQA boosts the attack success rate by 30%. We evaluate our method on several black-box models and achieve remarkable performance which proves that MEQA can serve as a baseline method for fast and effective black-box adversarial attacks.

AB - We propose an efficient adversarial attack method in the black-box setting. Our Multi-model Efficient Query Attack (MEQA) method takes advantage of the prior knowledge on different models’ relationship to guide the construction of black-box adversarial instances. The MEQA method employs several gradients from different white-box attack models and further the “best” one is selected to replace the gradient of black-box model in each step. The gradient composed by different model gradients will lead a significant loss to the black-box model on these adversarial pictures and then cause misclassification. Our key motivation is to estimate the black-box model with several existing white-box models, which can significantly increase the efficiency from the perspectives of both query sampling and calculating. Compared with gradient estimation based black-box adversarial attack methods, our MEQA method reduces the number of queries from 10000 to 40, which greatly accelerates the black-box adversarial attack. Compared with the zero query black-box adversarial attack method, which also called transfer attack method, MEQA boosts the attack success rate by 30%. We evaluate our method on several black-box models and achieve remarkable performance which proves that MEQA can serve as a baseline method for fast and effective black-box adversarial attacks.

KW - Efficient black-box attack

KW - Gradient estimation

KW - Model robustness

KW - Transfer attack

UR - https://www.scopus.com/pages/publications/85076928198

U2 - 10.1007/978-3-030-36204-1_33

DO - 10.1007/978-3-030-36204-1_33

M3 - 会议稿件

AN - SCOPUS:85076928198

SN - 9783030362034

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 394

EP - 405

BT - Intelligence Science and Big Data Engineering. Big Data and Machine Learning - 9th International Conference, IScIDE 2019, Proceedings, Part 2

A2 - Cui, Zhen

A2 - Pan, Jinshan

A2 - Zhang, Shanshan

A2 - Xiao, Liang

A2 - Yang, Jian

PB - Springer

T2 - 9th International Conference on Intelligence Science and Big Data Engineering, IScIDE 2019

Y2 - 17 October 2019 through 20 October 2019

ER -

Cai J, Wang B, Wang X, Jin B. Accelerate Black-Box Attack with White-Box Prior Knowledge. In Cui Z, Pan J, Zhang S, Xiao L, Yang J, editors, Intelligence Science and Big Data Engineering. Big Data and Machine Learning - 9th International Conference, IScIDE 2019, Proceedings, Part 2. Springer. 2019. p. 394-405. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-36204-1_33

Accelerate Black-Box Attack with White-Box Prior Knowledge

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this