Research ArticleNo Access

Black-Box Attack using Adversarial Examples: A New Method of Improving Transferability

Tao Wu

Department of Computer Science, Missouri University of Science and Technology, Rolla, MO 65409, USA

E-mail Address: wuta@mst.edu

Search for more papers by this author

Tie Luo

https://orcid.org/0000-0003-2947-3111

Department of Computer Science, Missouri University of Science and Technology, Rolla, MO 65409, USA

E-mail Address: tluo@mst.edu

Corresponding author.

Search for more papers by this author

, and

Donald C. Wunsch, II

Department of Electrical and Computer Engineering, Missouri University of Science and Technology, Rolla, MO 65409, USA

E-mail Address: dwunsch@mst.edu

Search for more papers by this author

https://doi.org/10.1142/S2811032322500059Cited by:5 (Source: Crossref)

Abstract

Adversarial examples (AEs) are malicious test-data samples (typically images) generated by applying carefully calculated perturbations to clean samples. The added perturbations are usually human-imperceptible but the AEs can fool a machine learning (ML) model to make misclassifications. Although multiple methods were proposed to generate AEs, the ability to generalize is very limited; that is, they easily overfit to their source, single, white-box ML models and the generated AEs rarely work for other models. In this paper, we propose a black-box attack approach that crafts transferable AEs that can attack a wide range of ML models without knowing those model details. Our novel method consists of an elastic momentum (EM) that expedites gradient descent to avoid early overfitting, and a random erasure (RE) technique that increases the diversity of perturbations and reduces gradient fluctuations. Our method can be applied to any gradient-based attacks to make those attacks become more transferable. We evaluate our proposed method by attacking seven state-of-the-art (SOTA) deep learning models and comparing against five SOTA attacks; we also attack nine advanced defense mechanisms that are integrated into the above models. Our results demonstrate significant improvement on the attack success rate (ASR) and transferability when using our method alone, and that it can also be easily applied to other baseline methods (which are gradient-based) to substantially improve their performance.

Keywords:

References

1. A. Athalye, N. Carlini and D. Wagner , Proc Int Conf on Machine Learning, 2018. Google Scholar
2. J. Byun, S. Cho, M.-J. Kwon, H.-S. Kim and C. Kim , Proc 2022 IEEE/CVF Conf on Computer Vision and Pattern Recognition, 2022, pp. 15244–15253. Google Scholar
3. N. Carlini and D. Wagner , Proc 2017 IEEE Symp on Security and Privacy (SP), 2017, pp. 39–57. Crossref, Google Scholar
4. P.-Y. Chen, H. Zhang, Y. Sharma, J. Yi and C.-J. Hsieh , Proc 10th ACM Workshop on Artificial Intelligence and Security, 2017, pp. 15–26. Crossref, Google Scholar
5. M. Cheng, T. Le, P.-Y. Chen, J. Yi, H. Zhang and C.-J. Hsieh, Query-efficient Hard-label Black-box Attack: An Optimization-based Approach, preprint, arXiv:1807.04457 [cs.LG], 2018. Google Scholar
6. J. M. Cohen, E. Rosenfeld and J. Z. Kolter , Proc Int Conf on Machine Learning, 2019. Google Scholar
7. Y. Dong, F. Liao, T. Pang, H. Su, J. Zhu, X. Hu and J. Li , Proc 2018 IEEE Conf on Computer Vision and Pattern Recognition, 2018, pp. 9185–9193. Google Scholar
8. Y. Dong, T. Pang, H. Su and J. Zhu , Proc 2019 IEEE/CVF Conf on Computer Vision and Pattern Recognition, 2019, pp. 4312–4321. Google Scholar
9. G. K. Dziugaite, Z. Ghahramani and D. M. Roy, A Study of the Effect of JPG Compression on Adversarial Images, preprint, arXiv:1608.00853 [cs.CV], 2016. Google Scholar
10. I. J. Goodfellow, J. Shlens and C. Szegedy , Proc. Int. Conf. on Learning Representations, 2015. Google Scholar
11. C. Guo, M. Rana, M. Cisse and L. Van Der Maaten , Proc. Int. Conf on Learning Representations, 2018. Google Scholar
12. Y. Guo, Q. Li and H. Chen , Proc 34th Conf on Neural Information Processing Systems, 2020. Google Scholar
13. K. He, X. Zhang, S. Ren and J. Sun , Proc 2016 IEEE Conf on Computer Vision and Pattern Recognition, 2016, pp. 770–778. Google Scholar
14. X. Jia, X. Wei, X. Cao and H. Foroosh , Proc 2019 IEEE Conf on Computer Vision and Pattern Recognition, 2019, pp. 6084–6092. Google Scholar
15. D. P. Kingma and J. Ba, Adam: A Method for Stochastic Optimization, preprint, arXiv:1412.6980 [cs.LG], 2014. Google Scholar
16. A. Kurakin, I. Goodfellow and S. Bengio , Proc 5th Int Conf on Learning Representations, 2017. Google Scholar
17. A. Kurakin, I. Goodfellow and S. Bengio , Proc 5th Int Conf on Learning Representations, 2017. Google Scholar
18. Y. Li, S. Bai, Y. Zhou, C. Xie, Z. Zhang and A. Yuille , Proc AAAI Conf on Artificial Intelligence, 2020, vol. 34, pp. 11458–11465. Google Scholar
19. F. Liao, M. Liang, Y. Dong, T. Pang, X. Hu and J. Zhu , Proc 2018 IEEE Conf on Computer Vision and Pattern Recognition, 2018, pp. 1778–1787. Google Scholar
20. J. Lin, C. Song, K. He, L. Wang and J. E. Hopcroft , Proc 2020 Int Conf on Learning Representations, 2020. Google Scholar
21. X. Liu, M. Cheng, H. Zhang and C.-J. Hsieh , Proc European Conf on Computer Vision (ECCV), 2018, pp. 369–385. Google Scholar
22. Y. Liu, X. Chen, C. Liu and D. Song , Proc Int Conf on Learning Representations, 2017. Google Scholar
23. Z. Liu, Q. Liu, T. Liu, N. Xu, X. Lin, Y. Wang and W. Wen , Proc 2019 IEEE Conf on Computer Vision and Pattern Recognition, 2019, pp. 860–868. Google Scholar
24. A. Madry, A. Makelov, L. Schmidt, D. Tsipras and A. Vladu , Proc Int Conf on Learning Representations, 2018. Google Scholar
25. M. Naseer, S. Khan, M. Hayat, F. S. Khan and F. Porikli , Proc 2020 IEEE/CVF Conf on Computer Vision and Pattern Recognition, 2020, pp. 262–271. Google Scholar
26. Y. Nesterov , Dokl. Akad. Nauk USSR, 1983, 269, 543–547. Google Scholar
27. T. Pang, K. Xu, C. Du, N. Chen and J. Zhu , Proc Int Conf on Machine Learning, 2019, pp. 4970–4979. Google Scholar
28. O. Russakovsky et al., Int. J. Comput. Vis., 2015, 115, 211–252. Crossref, Google Scholar
29. C. Szegedy, S. Ioffe, V. Vanhoucke and A. Alemi , Proc AAAI Conf on Artificial Intelligence, 2017. Google Scholar
30. C. Szegedy, V. Vanhoucke, S. Ioffe, J. Shlens and Z. Wojna , Proc 2016 IEEE Conf on Computer Vision and Pattern Recognition, 2016, pp. 2818–2826. Google Scholar
31. C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow and R. Fergus , Proc Int Conf on Learning Representations, 2014. Google Scholar
32. F. Tramèr, A. Kurakin, N. Papernot, I. Goodfellow, D. Boneh and P. McDaniel, Ensemble Adversarial Training $:$ $:$ Attacks and Defenses, preprint, arXiv:1705.07204 [stat.ML], 2017. Google Scholar
33. F. Tramèr, A. Kurakin, N. Papernot, I. Goodfellow, D. Boneh and P. McDaniel , Proc Int Conf on Learning Representations, 2018. Google Scholar
34. X. Wang, A. Shrivastava and A. Gupta , Proc 2017 IEEE Conf on Computer Vision and Pattern Recognition, 2017, pp. 2606–2615. Google Scholar
35. X. Wang and K. He , Proc IEEE/CVF Conf on Computer Vision and Pattern Recognition, 2021, pp. 1924–1933. Google Scholar
36. X. Wang, X. He, J. Wang and K. He , Proc 2021 IEEE/CVF Int Conf on Computer Vision (ICCV), 2021, pp. 16158–16167. Google Scholar
37. X. Wang, J. Lin, H. Hu, J. Wang and K. He, Boosting Adversarial Transferability Through Enhanced Momentum, preprint, arXiv:2103.10609 [cs.CV], 2021. Google Scholar
38. D. Wu, Y. Wang, S.-T. Xia, J. Bailey and X. Ma , Proc Int Conf on Learning Representations, 2019. Google Scholar
39. C. Xie, J. Wang, Z. Zhang, Z. Ren and A. Yuille , Proc Int Conf on Learning Representations, 2018. Google Scholar
40. C. Xie, Z. Zhang, Y. Zhou, S. Bai, J. Wang, Z. Ren and A. L. Yuille , Proc 2019 IEEE/CVF Conf on Computer Vision and Pattern Recognition, 2019, pp. 2730–2739. Google Scholar
41. W. Xu, D. Evans and Y. Qi , Proc Network and Distributed System Security Symp, 2018. Google Scholar
42. Y. Zhang and P. Liang , Proc 22nd Int Conf on Artificial Intelligence and Statistics, 2019, pp. 684–693. Google Scholar
43. Z. Zhong, L. Zheng, G. Kang, S. Li and Y. Yang , Proc AAAI Conf on Artificial Intelligence, 2020, vol. 34, pp. 13001–13008. Google Scholar
44. J. Zou, Y. Duan, B. Li, W. Zhang, Y. Pan and Z. Pan , Proc AAAI Conf on Artificial Intelligence, 2022, vol. 36, pp. 3662–3670. Google Scholar
45. J. Zou, Z. Pan, J. Qiu, X. Liu, T. Rui and W. Li , Proc European Conf on Computer Vision, 2020, pp. 563–579. Google Scholar