摘要
This paper addresses(解决) the challenging black-box adversarial attack problem(黑盒对抗攻击问题), where only classification confidence(分类置信度) of a victim model(受害者模型) is available. Inspired by consistency(一致性) of visual saliency(视觉显著性) between different vision models(视觉模型), a surrogate model(代理模型) is expected to improve the attack performance(攻击性能) via transferability(可转移性). By combining(结合) transferability-based(基于可转移性) and query-based(基于查询) black-box attack, we propose a surprisingly simple baseline approach(基线方法) (named SimBA++) using the surrogate model(代理模型), which significantly outperforms(明显优于) several state-of-the-art(最先进的) methods. Moreover(此外), to efficiently utilize(有效利用) the query feedbac(查询反馈), we update the surrogate model(代理模型) in a novel learning scheme(新的学习方案), named High-Order Gradient Approximation (HOGA 高阶梯度近似). By constructing(构造) a high-order gradient computation graph(高阶梯度计算图), we update the surrogate model to approximate(逼近) the victim model in both forward and backward pass(正向和反向传递). The SimBA++ and HOGA result in Learnable Black-Box Attack(可学习的黑盒攻击) (LeBA), which surpasses(超过) previous state of the art by considerable margins: the proposed LeBA significantly reduces queries(减少了查询), while keeping higher attack success rates(攻击成功率) close to(接近) 100% in extensive(广泛的) Ima-geNet experiments, including attacking vision benchmarks and defensive models(攻击视觉基准和防御模型).
算法
论文链接
Learning black-box attackers with transferable priors and query feedback
笔记
在模型窃取攻击中,攻击者通过对受害者模型进行查询,并利用查询结果反向构建具有相似功能的替代模型。然后,攻击者可以利用替代模型发起进一步的对抗攻击。
998
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
