Machine learning techniques, especially deep neural networks (DNNs), are widely believed to be vulnerable to adversarial attacks. In image classification tasks, even small variations in the input images can dramatically affect the classification accuracy of a pre-trained model. The impact of these variations in real-world scenarios raises significant security concerns in important applications of DNNs across various domains. These concerns highlight the importance of understanding and mitigating adversarial attacks.
Adversarial attacks are classified into white-box and black-box attacks. White-box attacks require comprehensive knowledge of the target machine learning model, making them impractical in many real-world scenarios. Black-box attacks, on the other hand, are more realistic as they do not require detailed knowledge of the target model. Black-box attacks are divided into transfer-based attacks, score-based attacks (or soft-label attacks), and decision-based attacks (or hard-label attacks). Decision-based attacks are particularly stealthy as they rely only on the hard labels of the target model to create adversarial samples.
Scientists focus on decision-based attacks due to their general applicability and effectiveness in real-world adversarial situations. These attacks aim to fool the target model while adhering to constraints such as generating adversarial samples with as few queries as possible and keeping the strength of perturbations within a predefined threshold. Violating these constraints makes the attack more likely to be detected and more likely to fail. The challenge for an attacker is greater, as it requires more detailed knowledge of the target model and its output scores, making it harder to determine the decision boundary and optimize the perturbation direction.
Existing decision-based attacks can be categorized into random search, gradient estimation, and geometric modeling attacks. the studyThe researchers focus on random search attacks, which aim to find the optimal perturbation direction with the smallest decision boundary. Query-intensive exact search techniques, such as binary search, are typically used to identify decision boundaries for different perturbation directions. However, binary search requires many queries, which reduces the query efficiency.
The main problem with random search attacks is the large number of queries required to identify the decision boundary and optimize the perturbation direction, which increases the chances of detection and reduces the success rate of the attack. Increasing the attack efficiency and minimizing the number of queries are essential to improve decision-based attacks. Various strategies have been proposed to improve the efficiency of queries, such as optimizing the search process and using more sophisticated algorithms to estimate the decision boundary more accurately with fewer queries.
Improving the efficiency of decision-based attacks requires a delicate balance between minimizing the number of queries and maintaining an effective perturbation strategy. The researchers suggest that future work will continue to explore innovative ways to increase the efficiency and effectiveness of these attacks, which will enable DNNs to be robustly tested and protected against potential adversarial threats, addressing growing concerns about vulnerabilities in critical applications.
Please check paper. All credit for this research goes to the researchers of this project. Also, don't forget to follow us: twitter.
participate Telegram Channel and LinkedIn GroupsUp.
If you like our work, you will love our Newsletter..
Please join us 44k+ ML Subreddit
Arshad is an intern at MarktechPost and is currently pursuing his Masters in Physics from Indian Institute of Technology Kharagpur. Understanding things at a fundamental level leads to new discoveries which in turn lead to technological advancements. He is passionate about leveraging tools like Mathematical Models, ML Models, and AI to gain a fundamental understanding of nature.
