Black-box attacks can generate adversarial examples without accessing the parameters of target model, largely exacerbating the threats of deployed deep neural networks (DNNs). However, previous works state that black-box attacks fail to mislead target models when their training data and outputs are inaccessible. In this work, we argue that black-box attacks can pose practical attacks in this extremely restrictive scenario where only several test samples are available. Specifically, we find that attacking the shallow layers of DNNs trained on a few test samples can generate powerful adversarial examples. As only a few samples are required, we refer to these attacks as lightweight black-box attacks. The main challenge to promoting lightweight attacks is to mitigate the adverse impact caused by the approximation error of shallow layers. As it is hard to mitigate the approximation error with few available samples, we propose Error TransFormer (ETF) for lightweight attacks. Namely, ETF transforms the approximation error in the parameter space into a perturbation in the feature space and alleviates the error by disturbing features. In experiments, lightweight black-box attacks with the proposed ETF achieve surprising results. For example, even if only 1 sample per category available, the attack success rate in lightweight black-box attacks is only about 3% lower than that of the black-box attacks with complete training data.
翻译:黑匣子袭击可以在没有目标模型参数的情况下产生对抗性实例,这在很大程度上加剧了部署的深神经网络的威胁。然而,先前的工作表明,当培训数据和产出无法获取时,黑盒袭击无法误导目标模型。在这项工作中,我们争辩说,黑盒袭击在这种极为限制性的情形下可能构成实际袭击,而这种情况下只有几种测试样本。具体地说,我们发现,攻击在少数测试样本中受过训练的DNN的浅层可以产生强大的对抗性实例。由于只需要少数样本,我们将这些袭击称为轻度黑盒袭击。促进轻度袭击的主要挑战在于减轻浅层近似错误所造成的不利影响。由于很难用少量的样本来减轻近似错误,因此我们建议对轻度袭击使用错误 Transformer(ETF)。也就是说,ETF将参数空间的近似错误转换为特征空间的扰动性错误,并通过令人不安的特征来减轻错误。在实验中,轻度黑盒袭击的轻度黑盒袭击取得了惊人的结果。例如,即使只有1个样本的黑盒袭击成功率,但每类袭击的成功率为每件中只有1次。
相关内容
微信扫码咨询专知VIP会员