Attacking Black-Box Image Classifiers With Particle Swarm Optimization

In order to better solve the shortcomings of Deep Neural Networks (DNNs) susceptible to adversarial examples, evaluating existing neural network classification performance and increasing training sets to improve the robustness of classification models require more effective methods of the adversarial examples generation. Under the black-box condition, less information about parameters of the classification model, limited query times, and less feedback information available, it is difficult to generate adversarial examples against the black-box model. In order to further improve the efficiency of the adversarial images generation, we propose two different variants of Partial Swarm Optimization algorithm (vPSO) base on the traditional Partial Swarm Optimization for the targeted and non-targeted attack under conditions of the completely black-box. Compared with the existing of the state-of-the-art generation algorithm, the vPSO effectively reduce the number of queries to the black-box classifier and the dependence on the feedback information. The success rate of the targeted attack is up to 96.0% and the average number of queries for the black-box model is greatly reduced. Furthermore, we propose an efficient target image screening method in targeted attacks, as well as the concept of easy-to-attack and hard-to-attack images in non-targeted attacks, and give corresponding distinctions.

[1]  Logan Engstrom,et al.  Query-Efficient Black-box Adversarial Examples (superceded) , 2017 .

[2]  Huichen Lihuichen DECISION-BASED ADVERSARIAL ATTACKS: RELIABLE ATTACKS AGAINST BLACK-BOX MACHINE LEARNING MODELS , 2017 .

[3]  Dawn Xiaodong Song,et al.  Delving into Transferable Adversarial Examples and Black-box Attacks , 2016, ICLR.

[4]  Fei-Fei Li,et al.  ImageNet: A large-scale hierarchical image database , 2009, 2009 IEEE Conference on Computer Vision and Pattern Recognition.

[5]  Longfei Wu,et al.  EFFECT: an efficient flexible privacy-preserving data aggregation scheme with authentication in smart grid , 2019, Science China Information Sciences.

[6]  Geoffrey E. Hinton,et al.  ImageNet classification with deep convolutional neural networks , 2012, Commun. ACM.

[7]  Mohsen Guizani,et al.  Privacy-Preserving DDoS Attack Detection Using Cross-Domain Traffic in Software Defined Networks , 2018, IEEE Journal on Selected Areas in Communications.

[8]  David A. Wagner,et al.  Towards Evaluating the Robustness of Neural Networks , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[9]  Xin Zhang,et al.  End to End Learning for Self-Driving Cars , 2016, ArXiv.

[10]  Xiangliang Zhang,et al.  Detecting Android malicious apps and categorizing benign apps with ensemble of classifiers , 2018, Future Gener. Comput. Syst..

[11]  Xiaohui Kuang,et al.  Boosting Targeted Black-Box Attacks via Ensemble Substitute Training and Linear Augmentation , 2019, Applied Sciences.

[12]  Seyed-Mohsen Moosavi-Dezfooli,et al.  DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[13]  James Kennedy,et al.  Particle swarm optimization , 2002, Proceedings of ICNN'95 - International Conference on Neural Networks.

[14]  Dumitru Erhan,et al.  Going deeper with convolutions , 2014, 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[15]  Chen Liang,et al.  A sensitive network jitter measurement for covert timing channels over interactive traffic , 2018, Multimedia Tools and Applications.

[16]  Ming Yang,et al.  DeepFace: Closing the Gap to Human-Level Performance in Face Verification , 2014, 2014 IEEE Conference on Computer Vision and Pattern Recognition.

[17]  Chen Liang,et al.  A root privilege management scheme with revocable authorization for Android devices , 2018, J. Netw. Comput. Appl..

[18]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[19]  Shungang Hua,et al.  Similarity measure for image resizing using SIFT feature , 2012, EURASIP J. Image Video Process..

[20]  Ananthram Swami,et al.  Practical Black-Box Attacks against Machine Learning , 2016, AsiaCCS.

[21]  Jin Li,et al.  The security of machine learning in an adversarial setting: A survey , 2019, J. Parallel Distributed Comput..

[22]  Tara N. Sainath,et al.  Deep Neural Networks for Acoustic Modeling in Speech Recognition , 2012 .

[23]  Chen Liang,et al.  RootAgency: A digital signature-based root privilege management agency for cloud terminal devices , 2018, Inf. Sci..

[24]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[25]  Ananthram Swami,et al.  Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks , 2015, 2016 IEEE Symposium on Security and Privacy (SP).

[26]  Jiankun Hu,et al.  Cloud-Based Approximate Constrained Shortest Distance Queries Over Encrypted Graphs With Privacy Protection , 2018, IEEE Transactions on Information Forensics and Security.

[27]  Samy Bengio,et al.  Adversarial examples in the physical world , 2016, ICLR.

[28]  Ananthram Swami,et al.  The Limitations of Deep Learning in Adversarial Settings , 2015, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[29]  Michael S. Bernstein,et al.  ImageNet Large Scale Visual Recognition Challenge , 2014, International Journal of Computer Vision.

[30]  Sergey Ioffe,et al.  Inception-v4, Inception-ResNet and the Impact of Residual Connections on Learning , 2016, AAAI.