You do not have permission to edit this page, for the following reason:
You can view and copy the source of this page.
== Abstract ==
Machine learning (ML), especially deep neural networks (DNNs) have been widely used in various applications, including several safety-critical ones (e.g. autonomous driving). As a result, recent research about adversarial examples has raised great concerns. Such adversarial attacks can be achieved by adding a small magnitude of perturbation to the input to mislead model prediction. While several whitebox attacks have demonstrated their effectiveness, which assume that the attackers have full access to the machine learning models; blackbox attacks are more realistic in practice. In this paper, we propose a Query-Efficient Boundary-based blackbox Attack (QEBA) based only on model's final prediction labels. We theoretically show why previous boundary-based attack with gradient estimation on the whole gradient space is not efficient in terms of query numbers, and provide optimality analysis for our dimension reduction-based gradient estimation. On the other hand, we conducted extensive experiments on ImageNet and CelebA datasets to evaluate QEBA. We show that compared with the state-of-the-art blackbox attacks, QEBA is able to use a smaller number of queries to achieve a lower magnitude of perturbation with 100% attack success rate. We also show case studies of attacks on real-world APIs including MEGVII Face++ and Microsoft Azure.
Comment: Accepted by CVPR 2020
== Original document ==
The different versions of the original document can be found in:
* [http://arxiv.org/abs/2005.14137 http://arxiv.org/abs/2005.14137]
* [http://arxiv.org/pdf/2005.14137 http://arxiv.org/pdf/2005.14137]
* [http://xplorestaging.ieee.org/ielx7/9142308/9156271/09156276.pdf?arnumber=9156276 http://xplorestaging.ieee.org/ielx7/9142308/9156271/09156276.pdf?arnumber=9156276],
: [http://dx.doi.org/10.1109/cvpr42600.2020.00130 http://dx.doi.org/10.1109/cvpr42600.2020.00130]
* [https://dblp.uni-trier.de/db/conf/cvpr/cvpr2020.html#LiXZYL20 https://dblp.uni-trier.de/db/conf/cvpr/cvpr2020.html#LiXZYL20],
: [https://openaccess.thecvf.com/content_CVPR_2020/papers/Li_QEBA_Query-Efficient_Boundary-Based_Blackbox_Attack_CVPR_2020_paper.pdf https://openaccess.thecvf.com/content_CVPR_2020/papers/Li_QEBA_Query-Efficient_Boundary-Based_Blackbox_Attack_CVPR_2020_paper.pdf],
: [https://openaccess.thecvf.com/content_CVPR_2020/html/Li_QEBA_Query-Efficient_Boundary-Based_Blackbox_Attack_CVPR_2020_paper.html https://openaccess.thecvf.com/content_CVPR_2020/html/Li_QEBA_Query-Efficient_Boundary-Based_Blackbox_Attack_CVPR_2020_paper.html],
: [https://academic.microsoft.com/#/detail/3034892461 https://academic.microsoft.com/#/detail/3034892461]
Return to Li et al 2020e.
Published on 01/01/2020
Volume 2020, 2020
DOI: 10.1109/cvpr42600.2020.00130
Licence: CC BY-NC-SA license
Are you one of the authors of this document?