RamBoAttack: A Robust Query Efficient Deep Neural Network Decision Exploit

Viet Quoc Vo, Ehsan Abbasnejad, Damith C. Ranasinghe

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

6 Citations (Scopus)

Abstract

Machine learning models are critically susceptible to evasion attacks from adversarial examples. Generally, adversarial examples-modified inputs deceptively similar to the original input-are constructed under whitebox access settings by adversaries with full access to the model. However, recent attacks have shown a remarkable reduction in the number of queries to craft adversarial examples using blackbox attacks. Particularly alarming is the now, practical, ability to exploit simply the classification decision (hard-label only) from a trained model's access interface provided by a growing number of Machine Learning as a Service (MLaaS) providers-including Google, Microsoft, IBM-and used by a plethora of applications incorporating these models. An adversary's ability to exploit only the predicted hard-label from a model-query to craft adversarial examples is distinguished as a decision-based attack. In our study, we first deep-dive into recent state-of-the-art decision-based attacks in ICLR and S&P to highlight the costly nature of discovering low distortion adversarial examples employing approximate gradient estimation methods. We develop a robust class of query efficient attacks capable of avoiding entrapment in a local minimum and misdirection from noisy gradients seen in gradient estimation methods. The attack method we propose, RamBoAttack, exploits the notion of Randomized Block Coordinate Descent to explore the hidden classifier manifold, targeting perturbations to manipulate only localized input features to address the issues of gradient estimation methods. Importantly, the RamBoAttack is demonstrably more robust to the different sample inputs available to an adversary and/or the targeted class. Overall, for a given target class, RamBoAttack is demonstrated to be more robust at achieving a lower distortion and higher attack success rate within a given query budget. We curate our results using the large-scale high-resolution ImageNet dataset and open-source our attack, test samples and artifacts.

Original languageEnglish
Title of host publicationProceedings, 2022 Network and Distributed System Security Symposium
EditorsFarinaz Koushanfar, Wenyuan Xu
Place of PublicationReston VA USA
PublisherInternet Society
Number of pages18
ISBN (Electronic)1891562746, 9781891562747
DOIs
Publication statusPublished - 2022
Externally publishedYes
EventUsenix Network and Distributed System Security Symposium 2022 - Hybrid, San Diego, United States of America
Duration: 24 Apr 202228 Apr 2022
Conference number: 29th
https://www.ndss-symposium.org/ndss2022/ (Website)
https://www.ndss-symposium.org/ndss-program/ndss-2022/ (Proceedings)

Conference

ConferenceUsenix Network and Distributed System Security Symposium 2022
Abbreviated titleNDSS 2022
Country/TerritoryUnited States of America
CitySan Diego
Period24/04/2228/04/22
Internet address

Cite this