Adversarial transferability, namely the ability of adversarial perturbations to simultaneously fool multiple learning models, has long been the "big bad wolf" of adversarial machine learning. Successful transferability-based attacks requiring no prior knowledge of the attacked model's parameters or training data have been demonstrated numerous times in the past, implying that machine learning models pose an inherent security threat to real-life systems. However, all of the research performed in this area regarded transferability as a probabilistic property and attempted to estimate the percentage of adversarial examples that are likely to mislead a target model given some predefined evaluation set. As a result, those studies ignored the fact that real-life adversaries are often highly sensitive to the cost of a failed attack. We argue that overlooking this sensitivity has led to an exaggerated perception of the transferability threat, when in fact real-life transferability-based attacks are quite unlikely. By combining theoretical reasoning with a series of empirical results, we show that it is practically impossible to predict whether a given adversarial example is transferable to a specific target model in a black-box setting, hence questioning the validity of adversarial transferability as a real-life attack tool for adversaries that are sensitive to the cost of a failed attack.
翻译:反向转移性,即对抗性扰动同时愚弄多种学习模式的能力,长期以来一直是对抗性机器学习的“大坏狼” 。成功的可转移性攻击要求不事先了解被攻击模式的参数或培训数据,过去已经多次证明,这意味着机器学习模式对实际生活系统构成固有的安全威胁。然而,在这一领域进行的所有研究都认为可转移性是一种概率财产,并试图估计可能误导目标模型的对抗性例子的百分比,这些研究因此忽略了现实生活对手往往对失败攻击的代价高度敏感这一事实。我们争辩说,忽视这种敏感性导致对可转移性威胁的过度认识,而事实上现实生活可转移性攻击是不太可能的。通过将理论推理与一系列经验结果结合起来,我们表明,几乎不可能预测一个特定对抗性例子是否可转让到黑箱环境中的特定目标模型,从而质疑对抗性攻击性攻击性作为现实生命攻击工具的有效性,而这种攻击性攻击是敏感的,其成本是无效的。