Limited Query Black-box Adversarial Attacks in the Real World

科展類別

臺灣國際科展作品

屆次

2022年

科別

電腦科學與資訊工程

得獎情形

三等獎

學校名稱

High School of Mathematics and Natural Sciences "Professor Emanuil Ivanov"

作者

Hristo Todorov

關鍵字

machine learning、adversarial

摘要或動機

We study the creation of physical adversarial examples, which are robust to real-world transformations, using a limited number of queries to the target black-box neural networks. We observe that robust models tend to be especially susceptible to foreground manipulations, which motivates our novel Foreground attack. We demonstrate that gradient priors are a useful signal for black-box attacks and therefore introduce an improved version of the popular SimBA. We also propose an algorithm for transferable attacks that selects the most similar surrogates to the target model. Our black-box attacks outperform state-of-the-art approaches they are based on and support our belief that the concept of model similarity could be leveraged to build strong attacks in a limited-information setting.

190045.pdf

Adobe Reader(Pdf)檔案