research-article

Towards Query-Efficient Black-Box Attacks: A Universal Dual Transferability-Based Framework

Authors:
Tao Xiang

Chongqing University, Chongqing, China

Chongqing University, Chongqing, China

0000-0002-9439-4623
View Profile

,
Hangcheng Liu

Chongqing University, Chongqing, China

Chongqing University, Chongqing, China

0000-0002-4392-2254
View Profile

,
Shangwei Guo

Chongqing University, Chongqing, China

Chongqing University, Chongqing, China

0000-0002-6443-5308
View Profile

,
Yan Gan

Chongqing University, Chongqing, China

Chongqing University, Chongqing, China

0000-0002-6716-0039
View Profile

,
Wenjian He

Chongqing University, Chongqing, China

Chongqing University, Chongqing, China

0000-0003-0286-6986
View Profile

,
Xiaofeng Liao

Chongqing University, Chongqing, China

Chongqing University, Chongqing, China

0000-0003-1932-3435
View Profile

ACM Transactions on Intelligent Systems and Technology Volume 14 Issue 4Article No.: 58pp 1–25https://doi.org/10.1145/3583777

Published:08 May 2023Publication History

ACM Transactions on Intelligent Systems and Technology

Abstract

Adversarial attacks have threatened the application of deep neural networks in security-sensitive scenarios. Most existing black-box attacks fool the target model by interacting with it many times and producing global perturbations. However, all pixels are not equally crucial to the target model; thus, indiscriminately treating all pixels will increase query overhead inevitably. In addition, existing black-box attacks take clean samples as start points, which also limits query efficiency. In this article, we propose a novel black-box attack framework, constructed on a strategy of dual transferability (DT), to perturb the discriminative areas of clean examples within limited queries. The first kind of transferability is the transferability of model interpretations. Based on this property, we identify the discriminative areas of clean samples for generating local perturbations. The second is the transferability of adversarial examples, which helps us to produce local pre-perturbations for further improving query efficiency. We achieve the two kinds of transferability through an independent auxiliary model and do not incur extra query overhead. After identifying discriminative areas and generating pre-perturbations, we use the pre-perturbed samples as better start points and further perturb them locally in a black-box manner to search the corresponding adversarial examples. The DT strategy is general; thus, the proposed framework can be applied to different types of black-box attacks. We conduct extensive experiments to show that, under various system settings, our framework can significantly improve the query efficiency of existing black-box attacks and attack success rates.

REFERENCES

[1] Alzantot Moustafa, Sharma Yash, Chakraborty Supriyo, Zhang Huan, Hsieh Cho-Jui, and Srivastava Mani B.. 2019. Genattack: Practical black-box attacks with gradient-free optimization. In Proceedings of the Genetic and Evolutionary Computation Conference (GECCO’19). ACM, New York, NY, 1111–1119. Google ScholarDigital Library
[2] Bhagoji Arjun Nitin, He Warren, Li Bo, and Song Dawn. 2018. Practical black-box attacks on deep neural networks using efficient query mechanisms. In Proceedings of the European Conference on Computer Vision (ECCV’18). Springer International Publishing, 158–174.Google ScholarDigital Library
[3] Brendel Wieland, Rauber Jonas, and Bethge Matthias. 2018. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. In International Conference on Learning Representations (ICLR’18). OpenReview.net, Vancouver, 1–12.Google Scholar
[4] Carlini Nicholas and Wagner David. 2017. Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy (SP’17). IEEE Computer Society, Seattle, 39–57. Google ScholarCross Ref
[5] Carlini Nicholas and Wagner David. 2018. Audio adversarial examples: Targeted attacks on speech-to-text. In IEEE Security and Privacy Workshops (SPW’17). IEEE Computer Society, San Francisco, 1–7. Google ScholarCross Ref
[6] Chattopadhay Aditya, Sarkar Anirban, Howlader Prantik, and Balasubramanian Vineeth N.. 2018. Grad-CAM++: Generalized gradient-based visual explanations for deep convolutional networks. In 2018 IEEE Winter Conference on Applications of Computer Vision (WACV’18). IEEE Computer Society, Lake Tahoe, 839–847. Google ScholarCross Ref
[7] Chen Pin-Yu, Zhang Huan, Sharma Yash, Yi Jinfeng, and Hsieh Cho-Jui. 2017. ZOO: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (AISec’17). ACM, Dallas, 15–26. Google ScholarDigital Library
[8] Dabkowski Piotr and Gal Yarin. 2017. Real time image saliency for black box classifiers. In Advances in Neural Information Processing Systems, I. Guyon, U. Von Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett (Eds.). Vol. 30. Curran Associates, Inc., Long Beach.Google Scholar
[9] Dong Xiaoyi, Han Jiangfan, Chen Dongdong, Liu Jiayang, Bian Huanyu, Ma Zehua, Li Hongsheng, Wang Xiaogang, Zhang Weiming, and Yu Nenghai. 2020. Robust superpixel-guided attentional adversarial attack. In 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’20). IEEE Computer Society, Los Alamitos, 12892–12901. Google ScholarCross Ref
[10] Dong Yinpeng, Liao Fangzhou, Pang Tianyu, Su Hang, Zhu Jun, Hu Xiaolin, and Li Jianguo. 2018. Boosting adversarial attacks with momentum. In 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’18). IEEE Computer Society, 9185–9193. Google ScholarCross Ref
[11] Du Yali, Fang Meng, Yi Jinfeng, Cheng Jun, and Tao Dacheng. 2018. Towards query efficient black-box attacks: An input-free perspective. In Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security (AISec’18). ACM, 13–24. Google ScholarDigital Library
[12] Fezza Sid Ahmed, Bakhti Yassine, Hamidouche Wassim, and Déforges Olivier. 2019. Perceptual evaluation of adversarial attacks for CNN-based image classification. In International Conference on Quality of Multimedia Experience (QoMEX’19). IEEE, 1–6. Google ScholarCross Ref
[13] Fu Ruigang, Hu Qingyong, Dong Xiaohu, Guo Yulan, Gao Yinghui, and Li Biao. 2020. Axiom-based Grad-CAM: Towards accurate visualization and explanation of CNNs. In British Machine Vision Conference (BMVC). BMVA Press, UK, 1–13.Google Scholar
[14] Goodfellow Ian J., Shlens Jonathon, and Szegedy Christian. 2015. Explaining and harnessing adversarial examples. In International Conference on Learning Representations (ICLR’15). OpenReview.net, San Diego, 1–11.Google Scholar
[15] Guo Chuan, Gardner Jacob, You Yurong, Wilson Andrew Gordon, and Weinberger Kilian. 2019. Simple black-box adversarial attacks. In Proceedings of the 36th International Conference on Machine Learning (ICML’19). PMLR, Long Beach, 2484–2493.Google Scholar
[16] He Kaiming, Zhang Xiangyu, Ren Shaoqing, and Sun Jian. 2016. Deep residual learning for image recognition. In IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’16). IEEE Computer Society, 770–778.Google ScholarCross Ref
[17] Hinton Geoffrey, Vinyals Oriol, and Dean Jeff. 2015. Distilling the knowledge in a neural network. arXiv:1503.02531 (2015).Google Scholar
[18] Ilyas Andrew, Engstrom Logan, Athalye Anish, and Lin Jessy. 2018. Black-box adversarial attacks with limited queries and information. In Proceedings of the 35th International Conference on Machine Learning (ICML’18), Vol. 80. PMLR, Stockholmsmässan, 2137–2146.Google Scholar
[19] Jiang Peng-Tao, Zhang Chang-Bin, Hou Qibin, Cheng Ming-Ming, and Wei Yunchao. 2021. LayerCAM: Exploring hierarchical class activation maps for localization. IEEE Transactions on Image Processing 30 (2021), 5875–5888.Google ScholarDigital Library
[20] Kurakin Alexey, Goodfellow Ian, and Bengio Samy. 2017. Adversarial examples in the physical world. In International Conference on Learning Representations (ICLR’17), 1–17.Google Scholar
[21] Kurakin Alexey, Goodfellow Ian, and Bengio Samy. 2017. Adversarial machine learning at scale. International Conference on Learning Representations Workshop, (ICLR Workshop). OpenReview.net, Toulon, 1–14.Google Scholar
[22] Larson Eric Cooper and Chandler Damon Michael. 2010. Most apparent distortion: Full-reference image quality assessment and the role of strategy. Journal of Electronic Imaging 19, 1 (2010), 011006.Google ScholarCross Ref
[23] Li Xurong, Ji Shouling, Han Meng, Ji Juntao, Ren Zhenyu, Liu Yushan, and Wu Chunming. 2021. Adversarial examples versus cloud-based detectors: A black-box empirical study. IEEE Transactions on Dependable and Secure Computing 18, 4 (2021), 1933–1949.Google Scholar
[24] Liu Yanpei, Chen Xinyun, Liu Chang, and Song Dawn. 2017. Delving into transferable adversarial examples and black-box attacks. In International Conference on Learning Representations (ICLR’17). OpenReview.net, Toulon, 1–14.Google Scholar
[25] Madry Aleksander, Makelov Aleksandar, Schmidt Ludwig, Tsipras Dimitris, and Vladu Adrian. 2018. Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations (ICLR’18). Open-Review.net, Vancouver, 1–23.Google Scholar
[26] Moosavi-Dezfooli Seyed Mohsen, Fawzi Alhussein, Fawzi Omar, and Frossard Pascal. 2017. Universal adversarial perturbations. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR’17). IEEE Computer Society, 1765–1773.Google ScholarCross Ref
[27] Moosavi-Dezfooli Seyed-Mohsen, Fawzi Alhussein, and Frossard Pascal. 2016. Deepfool: A simple and accurate method to fool deep neural networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR’16). IEEE Computer Society, 2574–2582.Google ScholarCross Ref
[28] Muhammad Mohammed Bany and Yeasin Mohammed. 2020. Eigen-cam: Class activation map using principal components. In International Joint Conference on Neural Networks (IJCNN’20). IEEE, 1–7.Google ScholarCross Ref
[29] Narodytska Nina and Kasiviswanathan Shiva. 2017. Simple black-box adversarial attacks on deep neural networks. In IEEE Conference on Computer Vision and Pattern Recognition Workshops (CVPRW’17), Vol. 2. IEEE Computer, 1310–1318.Google ScholarCross Ref
[30] Omeiza Daniel, Speakman Skyler, Cintas Celia, and Weldermariam Komminist. 2019. Smooth Grad-CAM++: An enhanced inference level visualization technique for deep convolutional neural network models. arXiv preprint arXiv:1908.01224 (2019).Google Scholar
[31] Papernot Nicolas, McDaniel Patrick, Goodfellow Ian, Jha Somesh, Celik Z. Berkay, and Swami Ananthram. 2017. Practical black-box attacks against machine learning. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (AisaCCS’17). ACM, 506–519.Google ScholarDigital Library
[32] Papernot Nicolas, McDaniel Patrick, Jha Somesh, Fredrikson Matt, Celik Z. Berkay, and Swami Ananthram. 2016. The limitations of deep learning in adversarial settings. In IEEE European symposium on security and privacy (EuroS&P’16). IEEE, 372–387.Google Scholar
[33] Ramaswamy Harish Guruprasad et al. 2020. Ablation-CAM: Visual explanations for deep convolutional network via gradient-free localization. In Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision (WACV’20). IEEE, 983–991.Google Scholar
[34] Ribeiro Marco Tulio, Singh Sameer, and Guestrin Carlos. 2016. “Why should I trust you?”: Explaining the predictions of any classifier. In Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (SIGKDD’16). ACM, 1135–1144.Google ScholarDigital Library
[35] Selvaraju Ramprasaath R., Cogswell Michael, Das Abhishek, Vedantam Ramakrishna, Parikh Devi, and Batra Dhruv. 2017. Grad-CAM: Visual explanations from deep networks via gradient-based localization. In Proceedings of the IEEE International Conference on Computer Vision. IEEE Computer Society, 618–626.Google ScholarCross Ref
[36] Simonyan Karen and Zisserman Andrew. 2015. Very deep convolutional networks for large-scale image recognition. In International Conference on Learning Representations (ICLR’15). San Diego, 1–14.Google Scholar
[37] Su Jiawei, Vargas Danilo Vasconcellos, and Sakurai Kouichi. 2019. One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation 23, 5 (2019), 828–841.Google ScholarCross Ref
[38] Suya Fnu, Chi Jianfeng, Evans David, and Tian Yuan. 2020. Hybrid batch attacks: Finding black-box adversarial examples with limited queries. In 29th USENIX Security Symposium (USENIX’20). USENIX Association, 1327–1344.Google Scholar
[39] Szegedy Christian, Vanhoucke Vincent, Ioffe Sergey, Shlens Jon, and Wojna Zbigniew. 2016. Rethinking the inception architecture for computer vision. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR’16). IEEE Computer Society, 2818–2826.Google ScholarCross Ref
[40] Szegedy Christian, Zaremba Wojciech, Sutskever Ilya, Bruna Joan, Erhan Dumitru, Goodfellow Ian, and Fergus Rob. 2014. Intriguing properties of neural networks. In International Conference on Learning Representations (ICLR’14). Banff, AB, 1–10.Google Scholar
[41] Tu Chun-Chen, Ting Paishun, Chen Pin-Yu, Liu Sijia, Zhang Huan, Yi Jinfeng, Hsieh Cho-Jui, and Cheng Shin-Ming. 2019. Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In Proceedings of the AAAI Conference on Artificial Intelligence (AAAI’19), Vol. 33. AAAI Press, 742–749.Google ScholarDigital Library
[42] Wang Xianmin, Li Jing, Kuang Xiaohui, Tan Yu-an, and Li Jin. 2019. The security of machine learning in an adversarial setting: A survey. Journal of Parallel and Distributed Computing 130 (2019), 12–23.Google ScholarDigital Library
[43] Wierstra Daan, Schaul Tom, Glasmachers Tobias, Sun Yi, Peters Jan, and Schmidhuber Jürgen. 2014. Natural evolution strategies. Journal of Machine Learning Research 15, 1 (2014), 949–980.Google ScholarDigital Library
[44] Xie Cihang, Wang Jianyu, Zhang Zhishuai, Zhou Yuyin, Xie Lingxi, and Yuille Alan. 2017. Adversarial examples for semantic segmentation and object detection. In Proceedings of the IEEE International Conference on Computer Vision (ICCV’17). IEEE Computer Society, 1369–1378.Google ScholarCross Ref
[45] Xie Cihang, Zhang Zhishuai, Zhou Yuyin, Bai Song, Wang Jianyu, Ren Zhou, and Yuille Alan L.. 2019. Improving transferability of adversarial examples with input diversity. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’19). IEEE, 2730–2739.Google ScholarCross Ref
[46] Zhang Jiliang and Li Chen. 2020. Adversarial examples: Opportunities and challenges. IEEE Transactions on Neural Networks and Learning Systems 31, 7 (2020), 2578–2593.Google Scholar
[47] Zhang Wei Emma, Sheng Quan Z., Alhazmi Ahoud, and Li Chenliang. 2020. Adversarial attacks on deep-learning models in natural language processing: A survey. ACM Transactions on Intelligent Systems and Technology 11, 3 (2020), 1–41.Google ScholarDigital Library
[48] Zhou Bolei, Khosla Aditya, Lapedriza Agata, Oliva Aude, and Torralba Antonio. 2016. Learning deep features for discriminative localization. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR’16). IEEE Computer Society, 2921–2929.Google ScholarCross Ref

Index Terms

Towards Query-Efficient Black-Box Attacks: A Universal Dual Transferability-Based Framework
1. Computing methodologies
  1. Machine learning
    1. Machine learning approaches
      1. Neural networks
2. Security and privacy
  1. Software and application security
    1. Domain-specific security and privacy architectures

Recommendations

Towards Query Efficient Black-box Attacks: An Input-free Perspective
AISec '18: Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security

Recent studies have highlighted that deep neural networks (DNNs) are vulnerable to adversarial attacks, even in a black-box scenario. However, most of the existing black-box attack algorithms need to make a huge amount of queries to perform attacks, ...
Read More
Ensemble adversarial black-box attacks against deep learning systems
Highlights
- Deep learning models, e.g., state-of-the-art convolutional neural networks (CNNs), have been widely applied into security-sensitivity tasks, such as facial ...
Abstract
Deep learning (DL) models, e.g., state-of-the-art convolutional neural networks (CNNs), have been widely applied into security sensitivity tasks, such as face payment, security monitoring, automated driving, etc. Then their ...
Read More
PhantomSound: Black-Box, Query-Efficient Audio Adversarial Attack via Split-Second Phoneme Injection
RAID '23: Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses

In this paper, we propose PhantomSound, a query-efficient black-box attack toward voice assistants. Existing black-box adversarial attacks on voice assistants either apply substitution models or leverage the intermediate model output to estimate the ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Intelligent Systems and Technology Volume 14, Issue 4
August 2023
481 pages
ISSN:2157-6904
EISSN:2157-6912
DOI:10.1145/3596215
Editor:
Huan Liu
Arizona State University, USA
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 8 May 2023
- Online AM: 13 February 2023
- Accepted: 23 January 2023
- Revised: 20 October 2022
- Received: 1 May 2022
Published in tist Volume 14, Issue 4

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Black-box attack
query efficiency
transferability
model interpretation
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 332
  Total Downloads
- Downloads (Last 12 months)236
- Downloads (Last 6 weeks)12
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Full Text

View this article in Full Text.

View Full Text

Towards Query-Efficient Black-Box Attacks: A Universal Dual Transferability-Based Framework

ACM Transactions on Intelligent Systems and Technology

Abstract

REFERENCES

Cited By

Index Terms

Recommendations

Towards Query Efficient Black-box Attacks: An Input-free Perspective

Ensemble adversarial black-box attacks against deep learning systems

PhantomSound: Black-Box, Query-Efficient Audio Adversarial Attack via Split-Second Phoneme Injection

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Full Text

Caption

Towards Query-Efficient Black-Box Attacks: A Universal Dual Transferability-Based Framework

ACM Transactions on Intelligent Systems and Technology

Abstract

REFERENCES

Cited By

Index Terms

Recommendations

Towards Query Efficient Black-box Attacks: An Input-free Perspective

Ensemble adversarial black-box attacks against deep learning systems

PhantomSound: Black-Box, Query-Efficient Audio Adversarial Attack via Split-Second Phoneme Injection

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Full Text

Share this Publication link

Share on Social Media