Procedural noise adversarial examples for black-box attacks on deep neural networks
| Autor: | Emil Lupu, Luis Muñoz-González, Kenneth T. Co, Sixte de Maupeou |
|---|---|
| Rok vydání: | 2019 |
| Předmět: |
FOS: Computer and information sciences
Technology Computer Science - Cryptography and Security Computer science Machine Learning (stat.ML) 02 engineering and technology Adversarial machine learning Machine learning computer.software_genre adversarial machine learning Adversarial system cs.CR Statistics - Machine Learning Computer Science Theory & Methods 0202 electrical engineering electronic engineering information engineering black-box attacks universal adversarial perturbations Bayesian optimization Science & Technology Computer Science Information Systems business.industry 020206 networking & telecommunications 020207 software engineering stat.ML deep neural networks Computer Science Telecommunications procedural noise Artificial intelligence business computer Cryptography and Security (cs.CR) |
| Zdroj: | 26th ACM Conference on Computer and Communications Security CCS |
| Popis: | Deep Convolutional Networks (DCNs) have been shown to be vulnerable to adversarial examples---perturbed inputs specifically designed to produce intentional errors in the learning algorithms at test time. Existing input-agnostic adversarial perturbations exhibit interesting visual patterns that are currently unexplained. In this paper, we introduce a structured approach for generating Universal Adversarial Perturbations (UAPs) with procedural noise functions. Our approach unveils the systemic vulnerability of popular DCN models like Inception v3 and YOLO v3, with single noise patterns able to fool a model on up to 90% of the dataset. Procedural noise allows us to generate a distribution of UAPs with high universal evasion rates using only a few parameters. Additionally, we propose Bayesian optimization to efficiently learn procedural noise parameters to construct inexpensive untargeted black-box attacks. We demonstrate that it can achieve an average of less than 10 queries per successful attack, a 100-fold improvement on existing methods. We further motivate the use of input-agnostic defences to increase the stability of models to adversarial perturbations. The universality of our attacks suggests that DCN models may be sensitive to aggregations of low-level class-agnostic features. These findings give insight on the nature of some universal adversarial perturbations and how they could be generated in other applications. Comment: 16 pages, 10 figures. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS '19) |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|