Practical No-box Adversarial Attacks against DNNs
This work addresses the practical challenge of adversarial attacks for scenarios where typical access to the victim model is infeasible or expensive, expanding the applicability of such attacks for security researchers and practitioners.
This paper explores "no-box" adversarial attacks against deep neural networks (DNNs), where the attacker has no access to the model or its training data, nor can they query it. The authors propose training with a very small dataset and found that prototypical reconstruction was most effective, reducing the average prediction accuracy of a commercial celebrity recognition system to 15.40%.
The study of adversarial vulnerabilities of deep neural networks (DNNs) has progressed rapidly. Existing attacks require either internal access (to the architecture, parameters, or training set of the victim model) or external access (to query the model). However, both the access may be infeasible or expensive in many scenarios. We investigate no-box adversarial examples, where the attacker can neither access the model information or the training set nor query the model. Instead, the attacker can only gather a small number of examples from the same problem domain as that of the victim model. Such a stronger threat model greatly expands the applicability of adversarial attacks. We propose three mechanisms for training with a very small dataset (on the order of tens of examples) and find that prototypical reconstruction is the most effective. Our experiments show that adversarial examples crafted on prototypical auto-encoding models transfer well to a variety of image classification and face verification models. On a commercial celebrity recognition system held by clarifai.com, our approach significantly diminishes the average prediction accuracy of the system to only 15.40%, which is on par with the attack that transfers adversarial examples from a pre-trained Arcface model.