Deep neural networks and other machine learning systems, despite being extremely powerful and able to make predictions with high accuracy, are vulnerable to adversarial attacks. We proposed the DeltaBound attack: a novel, powerful attack in the hard-label setting with $\ell_2$ norm bounded perturbations. In this scenario, the attacker has only access to the top-1 predicted label of the model and can be therefore applied to real-world settings such as remote API. This is a complex problem since the attacker has very little information about the model. Consequently, most of the other techniques present in the literature require a massive amount of queries for attacking a single example. Oppositely, this work mainly focuses on the evaluation of attack's power in the low queries regime $\leq 1000$ queries) with $\ell_2$ norm in the hard-label settings. We find that the DeltaBound attack performs as well and sometimes better than current state-of-the-art attacks while remaining competitive across different kinds of models. Moreover, we evaluate our method against not only deep neural networks, but also non-deep learning models, such as Gradient Boosting Decision Trees and Multinomial Naive Bayes.
翻译:深心神经网络和其他机器学习系统尽管非常强大,而且能够作出高度精确的预测,但极易受到对抗性攻击的伤害。我们提议了德尔塔伯奇攻击:在硬标签环境中以$\ell_2美元规范受约束的扰动进行新颖的、强大的攻击。在这样的情况下,攻击者只能进入模型的顶层1号预测标签,因此可以适用于远程API等现实世界环境。这是一个复杂的问题,因为攻击者对模型的信息很少。因此,文献中的大多数其他技术都需要大量查询,才能攻击一个单一的例子。相反,这项工作主要侧重于在低调系统对攻击力的评价上值为$\leq 1000美元标准。在硬标签环境中,攻击者只能使用$\ell_2美元规范。我们发现,德尔伯奇攻击表现良好,有时好于当前状态的艺术攻击,同时在不同类型的模型中保持竞争力。此外,我们评估我们的方法不仅针对深度的神经网络,而且针对非深度的学习模型,例如Bairent Produstrual Decis 和Baments。