BRUSLEATTACK: A QUERY-EFFICIENT SCORE-BASED BLACK-BOX SPARSE ADVERSARIAL ATTACK

Viet Quoc Vo; Ehsan Abbasnejad; Damith C. Ranasinghe

BRUSLEATTACK: A QUERY-EFFICIENT SCORE-BASED BLACK-BOX SPARSE ADVERSARIAL ATTACK

Viet Quoc Vo, Ehsan Abbasnejad, Damith C. Ranasinghe

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

Abstract

We study the unique, less-well understood problem of generating sparse adversarial samples simply by observing the score-based replies to model queries. Sparse attacks aim to discover a minimum number-the l₀ bounded-perturbations to model inputs to craft adversarial examples and misguide model decisions. But, in contrast to query-based dense attack counterparts against black-box models, constructing sparse adversarial perturbations, even when models serve confidence score information to queries in a score-based setting, is non-trivial. Because, such an attack leads to: i) an NP-hard problem; and ii) a non-differentiable search space. We develop the BRUSLEATTACK-a new, faster (more query efficient) Bayesian algorithm for the problem. We conduct extensive attack evaluations including an attack demonstration against a Machine Learning as a Service (MLaaS) offering exemplified by Google Cloud Vision and robustness testing of adversarial training regimes and a recent defense against black-box attacks. The proposed attack scales to achieve state-of-the-art attack success rates and query efficiency on standard computer vision tasks such as ImageNet across different model architectures. Our artifacts and DIY attack samples are available on GitHub. Importantly, our work facilitates faster evaluation of model vulnerabilities and raises our vigilance on the safety, security and reliability of deployed systems.

Original language	English
Title of host publication	The Twelfth International Conference on Learning Representations
Editors	Katerina Fragkiadaki, Mohammad Emtiyaz Khan, Swarat Chaudhuri, Yizhou Sun
Place of Publication	USA
Publisher	International Conference on Learning Representations (ICLR)
Number of pages	38
Publication status	Published - 2024
Externally published	Yes
Event	International Conference on Learning Representations 2024 - Hybrid, Vienna, Austria Duration: 7 May 2024 → 11 May 2024 Conference number: 12th https://iclr.cc/Conferences/2024 (Website) https://openreview.net/group?id=ICLR.cc/2024 (Proceedings)

Conference

Conference	International Conference on Learning Representations 2024
Abbreviated title	ICLR 2024
Country/Territory	Austria
City	Hybrid, Vienna
Period	7/05/24 → 11/05/24
Internet address	https://iclr.cc/Conferences/2024 (Website) https://openreview.net/group?id=ICLR.cc/2024 (Proceedings)

Access to Document

https://openreview.net/forum?id=PAfnMGXiefLicence: CC BY

Cite this

Vo, V. Q., Abbasnejad, E., & Ranasinghe, D. C. (2024). BRUSLEATTACK: A QUERY-EFFICIENT SCORE-BASED BLACK-BOX SPARSE ADVERSARIAL ATTACK. In K. Fragkiadaki, M. Emtiyaz Khan, S. Chaudhuri, & Y. Sun (Eds.), The Twelfth International Conference on Learning Representations International Conference on Learning Representations (ICLR). https://openreview.net/forum?id=PAfnMGXief

@inproceedings{883af70d534049aba90cdae8d71efa7b,

title = "BRUSLEATTACK: A QUERY-EFFICIENT SCORE-BASED BLACK-BOX SPARSE ADVERSARIAL ATTACK",

abstract = "We study the unique, less-well understood problem of generating sparse adversarial samples simply by observing the score-based replies to model queries. Sparse attacks aim to discover a minimum number-the l0 bounded-perturbations to model inputs to craft adversarial examples and misguide model decisions. But, in contrast to query-based dense attack counterparts against black-box models, constructing sparse adversarial perturbations, even when models serve confidence score information to queries in a score-based setting, is non-trivial. Because, such an attack leads to: i) an NP-hard problem; and ii) a non-differentiable search space. We develop the BRUSLEATTACK-a new, faster (more query efficient) Bayesian algorithm for the problem. We conduct extensive attack evaluations including an attack demonstration against a Machine Learning as a Service (MLaaS) offering exemplified by Google Cloud Vision and robustness testing of adversarial training regimes and a recent defense against black-box attacks. The proposed attack scales to achieve state-of-the-art attack success rates and query efficiency on standard computer vision tasks such as ImageNet across different model architectures. Our artifacts and DIY attack samples are available on GitHub. Importantly, our work facilitates faster evaluation of model vulnerabilities and raises our vigilance on the safety, security and reliability of deployed systems.",

author = "Vo, {Viet Quoc} and Ehsan Abbasnejad and Ranasinghe, {Damith C.}",

note = "Publisher Copyright: {\textcopyright} 2024 12th International Conference on Learning Representations, ICLR 2024. All rights reserved.; International Conference on Learning Representations 2024, ICLR 2024 ; Conference date: 07-05-2024 Through 11-05-2024",

year = "2024",

language = "English",

editor = "Katerina Fragkiadaki and {Emtiyaz Khan}, Mohammad and Swarat Chaudhuri and Yizhou Sun",

booktitle = "The Twelfth International Conference on Learning Representations",

publisher = "International Conference on Learning Representations (ICLR)",

address = "United States of America",

url = "https://iclr.cc/Conferences/2024, https://openreview.net/group?id=ICLR.cc/2024",

}

Vo, VQ, Abbasnejad, E & Ranasinghe, DC 2024, BRUSLEATTACK: A QUERY-EFFICIENT SCORE-BASED BLACK-BOX SPARSE ADVERSARIAL ATTACK. in K Fragkiadaki, M Emtiyaz Khan, S Chaudhuri & Y Sun (eds), The Twelfth International Conference on Learning Representations. International Conference on Learning Representations (ICLR), USA, International Conference on Learning Representations 2024, Hybrid, Vienna, Austria, 7/05/24. <https://openreview.net/forum?id=PAfnMGXief>

BRUSLEATTACK: A QUERY-EFFICIENT SCORE-BASED BLACK-BOX SPARSE ADVERSARIAL ATTACK. / Vo, Viet Quoc; Abbasnejad, Ehsan; Ranasinghe, Damith C.
The Twelfth International Conference on Learning Representations. ed. / Katerina Fragkiadaki; Mohammad Emtiyaz Khan; Swarat Chaudhuri; Yizhou Sun. USA: International Conference on Learning Representations (ICLR), 2024.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - BRUSLEATTACK

T2 - International Conference on Learning Representations 2024

AU - Vo, Viet Quoc

AU - Abbasnejad, Ehsan

AU - Ranasinghe, Damith C.

N1 - Conference code: 12th

PY - 2024

Y1 - 2024

N2 - We study the unique, less-well understood problem of generating sparse adversarial samples simply by observing the score-based replies to model queries. Sparse attacks aim to discover a minimum number-the l0 bounded-perturbations to model inputs to craft adversarial examples and misguide model decisions. But, in contrast to query-based dense attack counterparts against black-box models, constructing sparse adversarial perturbations, even when models serve confidence score information to queries in a score-based setting, is non-trivial. Because, such an attack leads to: i) an NP-hard problem; and ii) a non-differentiable search space. We develop the BRUSLEATTACK-a new, faster (more query efficient) Bayesian algorithm for the problem. We conduct extensive attack evaluations including an attack demonstration against a Machine Learning as a Service (MLaaS) offering exemplified by Google Cloud Vision and robustness testing of adversarial training regimes and a recent defense against black-box attacks. The proposed attack scales to achieve state-of-the-art attack success rates and query efficiency on standard computer vision tasks such as ImageNet across different model architectures. Our artifacts and DIY attack samples are available on GitHub. Importantly, our work facilitates faster evaluation of model vulnerabilities and raises our vigilance on the safety, security and reliability of deployed systems.

AB - We study the unique, less-well understood problem of generating sparse adversarial samples simply by observing the score-based replies to model queries. Sparse attacks aim to discover a minimum number-the l0 bounded-perturbations to model inputs to craft adversarial examples and misguide model decisions. But, in contrast to query-based dense attack counterparts against black-box models, constructing sparse adversarial perturbations, even when models serve confidence score information to queries in a score-based setting, is non-trivial. Because, such an attack leads to: i) an NP-hard problem; and ii) a non-differentiable search space. We develop the BRUSLEATTACK-a new, faster (more query efficient) Bayesian algorithm for the problem. We conduct extensive attack evaluations including an attack demonstration against a Machine Learning as a Service (MLaaS) offering exemplified by Google Cloud Vision and robustness testing of adversarial training regimes and a recent defense against black-box attacks. The proposed attack scales to achieve state-of-the-art attack success rates and query efficiency on standard computer vision tasks such as ImageNet across different model architectures. Our artifacts and DIY attack samples are available on GitHub. Importantly, our work facilitates faster evaluation of model vulnerabilities and raises our vigilance on the safety, security and reliability of deployed systems.

UR - http://www.scopus.com/inward/record.url?scp=85200546522&partnerID=8YFLogxK

M3 - Conference Paper

AN - SCOPUS:85200546522

BT - The Twelfth International Conference on Learning Representations

A2 - Fragkiadaki, Katerina

A2 - Emtiyaz Khan, Mohammad

A2 - Chaudhuri, Swarat

A2 - Sun, Yizhou

PB - International Conference on Learning Representations (ICLR)

CY - USA

Y2 - 7 May 2024 through 11 May 2024

ER -

BRUSLEATTACK: A QUERY-EFFICIENT SCORE-BASED BLACK-BOX SPARSE ADVERSARIAL ATTACK

Abstract

Conference

Access to Document

Other files and links

Cite this