Deep Neural Networks (DNNs) are acknowledged as vulnerable to adversarial attacks, while the existing black-box attacks require extensive queries on the victim DNN to achieve high success rates. For query-efficiency, surrogate models of the victim are used to generate transferable Adversarial Examples (AEs) because of their Gradient Similarity (GS), i.e., surrogates' attack gradients are similar to the victim's ones. However, it is generally neglected to exploit their similarity on outputs, namely the Prediction Similarity (PS), to filter out inefficient queries by surrogates without querying the victim. To jointly utilize and also optimize surrogates' GS and PS, we develop QueryNet, a unified attack framework that can significantly reduce queries. QueryNet creatively attacks by multi-identity surrogates, i.e., crafts several AEs for one sample by different surrogates, and also uses surrogates to decide on the most promising AE for the query. After that, the victim's query feedback is accumulated to optimize not only surrogates' parameters but also their architectures, enhancing both the GS and the PS. Although QueryNet has no access to pre-trained surrogates' prior, it reduces queries by averagely about an order of magnitude compared to alternatives within an acceptable time, according to our comprehensive experiments: 11 victims (including two commercial models) on MNIST/CIFAR10/ImageNet, allowing only 8-bit image queries, and no access to the victim's training data. The code is available at https://github.com/Sizhe-Chen/QueryNet.
翻译:深心神经网络(DNNS)被公认为易受对抗性攻击,而现有的黑箱攻击要求对受害者DNNN进行广泛的询问,以达到高成功率。关于查询效率,受害者代用模型被用于产生可转移的反反向实例(AEs),因为其渐渐相似性(GS),即代孕人的攻击梯度与受害者相似。然而,一般忽视了利用产出的相似性,即预测性网络相似性(PS),通过代理者过滤无效的查询,而不询问受害者。为了联合使用和优化代理者GS(GS)和PS(PS),我们开发了QueryNet,这是一个能够大大减少查询的统一攻击框架。QueryNet的创造性攻击由多身份机器人(GS)攻击梯度(GE),即代谢人攻击梯度的梯度与受害人的样本相似。然而,也普遍忽略了在产出上,即预测性网络(PMIC 相似性查询), 之后, 受害人的查询反馈将不仅优化Qergatesal'salalal exal ex ex ex ex ex, labal deal decation as as astitution.