Hybrid adversarial sample crafting for black-box evasion attack

Machine learning has been broadly applied in different applications due to its satisfying performance. In security-related applications, e.g. facial recognition and fingerprint identification, an adversary misleads the pattern recognition system on purpose by manipulating training or test samples. Black-box attack is one of adversarial attacks which camouflages unseen samples to evade the detection with limited information on the system. Recently, there are a few studies on the robustness of machine learning, especially deep learning, under black-box attack. In this study, we investigate the security of the stacked autoencoder, which is one of the most famous models in deep learning against black-box attack. A training dataset generation method is proposed for a substitute model in black-box attack. By enquiring labels of samples from the target classifier, we train a model to approximate the target classifier. To have a better approximation to the decision boundary of the target classifier, a hybrid data generation method is adopted to increase the number of the training data. We generate new samples by combining both near and far away the decision boundary of the substitute model. The experiment results suggest that our proposed method downgrades the classifier in terms of accuracy more significantly than the existing one within less label query times. It shows the proposed method is more efficient to train a substitute model to approximate target classifier.