The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
Penyelidikan tentang contoh musuh untuk pembelajaran mesin telah mendapat banyak perhatian dalam beberapa tahun kebelakangan ini. Kebanyakan pendekatan sebelumnya adalah serangan kotak putih; ini bermakna penyerang perlu mendapatkan parameter dalaman terlebih dahulu bagi pengelas sasaran untuk menjana contoh lawan untuknya. Keadaan ini sukar untuk dipenuhi dalam amalan. Terdapat juga penyelidikan mengenai serangan kotak hitam, di mana penyerang hanya boleh mendapatkan maklumat separa tentang pengelas sasaran; walau bagaimanapun, nampaknya kita boleh menghalang serangan ini, kerana mereka perlu mengeluarkan banyak pertanyaan yang mencurigakan kepada pengelas sasaran. Dalam makalah ini, kami menunjukkan bahawa strategi pertahanan naif berdasarkan pengawasan pertanyaan nombor tidak akan mencukupi. Lebih konkrit, kami mencadangkan untuk menjana gangguan permusuhan bukan dari segi piksel tetapi dari segi blok untuk mengurangkan bilangan pertanyaan. Eksperimen kami menunjukkan bahawa gangguan kasar sedemikian boleh mengelirukan pengelas sasaran. Kami berjaya mengurangkan bilangan pertanyaan untuk menjana contoh lawan dalam kebanyakan kes. Kaedah mudah kami ialah serangan tidak disasarkan dan mungkin mempunyai kadar kejayaan yang rendah berbanding dengan keputusan sebelumnya bagi serangan kotak hitam yang lain, tetapi memerlukan lebih sedikit pertanyaan dalam purata. Yang menghairankan, bilangan pertanyaan minimum (masing-masing satu dan tiga dalam set data MNIST dan CIFAR-10) sudah cukup untuk menjana contoh lawan dalam beberapa kes. Selain itu, berdasarkan keputusan ini, kami mencadangkan klasifikasi terperinci untuk penyerang kotak hitam dan membincangkan langkah balas terhadap serangan di atas.
Yuya SENZAKI
Idein Inc.
Satsuya OHATA
National Institute of Advanced Industrial Science and Technology (AIST)
Kanta MATSUURA
The University of Tokyo
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Salinan
Yuya SENZAKI, Satsuya OHATA, Kanta MATSUURA, "Simple Black-Box Adversarial Examples Generation with Very Few Queries" in IEICE TRANSACTIONS on Information,
vol. E103-D, no. 2, pp. 212-221, February 2020, doi: 10.1587/transinf.2019INP0002.
Abstract: Research on adversarial examples for machine learning has received much attention in recent years. Most of previous approaches are white-box attacks; this means the attacker needs to obtain before-hand internal parameters of a target classifier to generate adversarial examples for it. This condition is hard to satisfy in practice. There is also research on black-box attacks, in which the attacker can only obtain partial information about target classifiers; however, it seems we can prevent these attacks, since they need to issue many suspicious queries to the target classifier. In this paper, we show that a naive defense strategy based on surveillance of number query will not suffice. More concretely, we propose to generate not pixel-wise but block-wise adversarial perturbations to reduce the number of queries. Our experiments show that such rough perturbations can confuse the target classifier. We succeed in reducing the number of queries to generate adversarial examples in most cases. Our simple method is an untargeted attack and may have low success rates compared to previous results of other black-box attacks, but needs in average fewer queries. Surprisingly, the minimum number of queries (one and three in MNIST and CIFAR-10 dataset, respectively) is enough to generate adversarial examples in some cases. Moreover, based on these results, we propose a detailed classification for black-box attackers and discuss countermeasures against the above attacks.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2019INP0002/_p
Salinan
@ARTICLE{e103-d_2_212,
author={Yuya SENZAKI, Satsuya OHATA, Kanta MATSUURA, },
journal={IEICE TRANSACTIONS on Information},
title={Simple Black-Box Adversarial Examples Generation with Very Few Queries},
year={2020},
volume={E103-D},
number={2},
pages={212-221},
abstract={Research on adversarial examples for machine learning has received much attention in recent years. Most of previous approaches are white-box attacks; this means the attacker needs to obtain before-hand internal parameters of a target classifier to generate adversarial examples for it. This condition is hard to satisfy in practice. There is also research on black-box attacks, in which the attacker can only obtain partial information about target classifiers; however, it seems we can prevent these attacks, since they need to issue many suspicious queries to the target classifier. In this paper, we show that a naive defense strategy based on surveillance of number query will not suffice. More concretely, we propose to generate not pixel-wise but block-wise adversarial perturbations to reduce the number of queries. Our experiments show that such rough perturbations can confuse the target classifier. We succeed in reducing the number of queries to generate adversarial examples in most cases. Our simple method is an untargeted attack and may have low success rates compared to previous results of other black-box attacks, but needs in average fewer queries. Surprisingly, the minimum number of queries (one and three in MNIST and CIFAR-10 dataset, respectively) is enough to generate adversarial examples in some cases. Moreover, based on these results, we propose a detailed classification for black-box attackers and discuss countermeasures against the above attacks.},
keywords={},
doi={10.1587/transinf.2019INP0002},
ISSN={1745-1361},
month={February},}
Salinan
TY - JOUR
TI - Simple Black-Box Adversarial Examples Generation with Very Few Queries
T2 - IEICE TRANSACTIONS on Information
SP - 212
EP - 221
AU - Yuya SENZAKI
AU - Satsuya OHATA
AU - Kanta MATSUURA
PY - 2020
DO - 10.1587/transinf.2019INP0002
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E103-D
IS - 2
JA - IEICE TRANSACTIONS on Information
Y1 - February 2020
AB - Research on adversarial examples for machine learning has received much attention in recent years. Most of previous approaches are white-box attacks; this means the attacker needs to obtain before-hand internal parameters of a target classifier to generate adversarial examples for it. This condition is hard to satisfy in practice. There is also research on black-box attacks, in which the attacker can only obtain partial information about target classifiers; however, it seems we can prevent these attacks, since they need to issue many suspicious queries to the target classifier. In this paper, we show that a naive defense strategy based on surveillance of number query will not suffice. More concretely, we propose to generate not pixel-wise but block-wise adversarial perturbations to reduce the number of queries. Our experiments show that such rough perturbations can confuse the target classifier. We succeed in reducing the number of queries to generate adversarial examples in most cases. Our simple method is an untargeted attack and may have low success rates compared to previous results of other black-box attacks, but needs in average fewer queries. Surprisingly, the minimum number of queries (one and three in MNIST and CIFAR-10 dataset, respectively) is enough to generate adversarial examples in some cases. Moreover, based on these results, we propose a detailed classification for black-box attackers and discuss countermeasures against the above attacks.
ER -