SQBA: sequential query-based blackbox attack

Yiyi Tao

doi:10.1117/12.3009240

16 October 2023 SQBA: sequential query-based blackbox attack

Yiyi Tao

Proceedings Volume 12803, Fifth International Conference on Artificial Intelligence and Computer Science (AICS 2023); 128032Q (2023) https://doi.org/10.1117/12.3009240
Event: 2023 5th International Conference on Artificial Intelligence and Computer Science (AICS 2023), 2023, Wuhan, China

Abstract

Many existing approaches to blackbox adversarial attacks follow attack strategies with predefined priori which are fixed throughout the process. As a result, they often require an excessive number of queries against the victim models to succeed. In this paper, we proposed a new attacking paradigm that better resembles real-world attacks in practical settings, where an agent (i.e., attacker) approaches the attack by taking actions (i.e., perturbations to the source image) through sequential interactions with the environment (i.e., the victim model) to achieve maximum rewards (i.e., the success of attack with the minimum number of queries). Naturally, as any action the agent chooses to take would alter the query image and change the state of the attack, the agent needs to adapt its policy accordingly along the trajectory instead of applying a predefined strategy unanimously. As an instantiation, we propose a “sequential query-based boundary blackbox attack” (SQBA), which learns a policy to adaptively select from a set of candidates attacking methods and then follow the selected method to apply one attack at each step. For demonstration, we restrict the candidate to subspace-based boundary attack methods. We show that the policy can be learned effectively with a variety of approaches, including imitation learning, policy optimization, and an ensemble of both. Extensive experiments on four benchmark datasets (MNIST, CIFAR-10, CelebA, and ImageNet) show that SQBA can significantly reduce the query complexity under different settings compared with baselines while keeping a 100% attack success rate. In addition, we find that the Reinforcement Learning agent as an ensemble of TRPO and BiLSTM performs the best among different agents.

(2023) Published by SPIE. Downloading of the abstract is permitted for personal use only.

Citation Download Citation

Yiyi Tao "SQBA: sequential query-based blackbox attack", Proc. SPIE 12803, Fifth International Conference on Artificial Intelligence and Computer Science (AICS 2023), 128032Q (16 October 2023); https://doi.org/10.1117/12.3009240

ACCESS THE FULL ARTICLE

INSTITUTIONAL
Select your institution to access the SPIE Digital Library.

SELECT YOUR INSTITUTION

PERSONAL
Sign in with your SPIE account to access your personal subscriptions or to use specific features such as save to my library, sign up for alerts, save searches, etc.

PERSONAL SIGN IN

No SPIE Account? Create one

PURCHASE THIS CONTENT

SUBSCRIBE TO DIGITAL LIBRARY

50 downloads per 1-year subscription

Members: $195

Non-members: $335 ADD TO CART

25 downloads per 1 - year subscription

Members: $145

Non-members: $250 ADD TO CART

PURCHASE SINGLE ARTICLE

Includes PDF, HTML & Video, when available

Members: $17.00

Non-members: $21.00 ADD TO CART

PROCEEDINGS
9 PAGES

DOWNLOAD PAPER SAVE TO MY LIBRARY

GET CITATION

RIGHTS & PERMISSIONS

Get copyright permission Get copyright permission on Copyright Marketplace

KEYWORDS

Education and training

Image processing

Image classification

Mathematical optimization

Statistical analysis

Data modeling

Mouth

Show All Keywords

Keywords/Phrases

Search In:

Publication Years