Black-box adversarial attacks can fool image classifiers into misclassifying images without requiring access to model structure and weights. Recently proposed black-box attacks can achieve a success rate of more than 95% after less than 1,000 queries. The question then arises of whether black-box attacks have become a real threat against IoT devices that rely on cloud APIs to achieve image classification. To shed some light on this, note that prior research has primarily focused on increasing the success rate and reducing the number of required queries. However, another crucial factor for black-box attacks against cloud APIs is the time required to perform the attack. This paper applies black-box attacks directly to cloud APIs rather than to local models, thereby avoiding multiple mistakes made in prior research. Further, we exploit load balancing to enable distributed black-box attacks that can reduce the attack time by a factor of about five for both local search and gradient estimation methods.
翻译:黑匣子对抗性攻击可能愚弄图像分类者,使其在不需要使用模型结构和重量的情况下对图像进行错误分类。 最近提议的黑盒攻击在不到1000次查询后,可能成功率超过95%。 随之产生的问题是黑盒攻击是否已成为对依靠云性API实现图像分类的IoT装置的真正威胁。 有一点要说明这一点, 先前的研究主要侧重于提高成功率和减少所需查询的数量。 然而, 对云性API的黑盒攻击的另一个关键因素是进行攻击所需的时间。 本文直接对云性API进行黑盒攻击, 而不是对当地模型进行黑盒攻击, 从而避免先前研究中出现的多重错误。 此外, 我们利用负载平衡使分散的黑盒攻击能够在当地搜索和梯度估计方法中减少大约5倍的攻击时间。