Towards Lightweight Black-Box Attack Against Deep Neural Networks

Chenghao Sun, Yonggang Zhang, Chaoqun Wan, Qizhou Wang, Ya Li, Tongliang Liu, Bo Han, Xinmei Tian*

*Corresponding author for this work

Research output: Chapter in book/report/conference proceedingConference proceedingpeer-review

8 Citations (Scopus)

Abstract

Black-box attacks can generate adversarial examples without accessing the parameters of target model, largely exacerbating the threats of deployed deep neural networks (DNNs). However, previous works state that black-box attacks fail to mislead target models when their training data and outputs are inaccessible. In this work, we argue that black-box attacks can pose practical attacks in this extremely restrictive scenario where only several test samples are available. Specifically, we find that attacking the shallow layers of DNNs trained on a few test samples can generate powerful adversarial examples. As only a few samples are required, we refer to these attacks as lightweight black-box attacks. The main challenge to promoting lightweight attacks is to mitigate the adverse impact caused by the approximation error of shallow layers. As it is hard to mitigate the approximation error with few available samples, we propose Error TransFormer (ETF) for lightweight attacks. Namely, ETF transforms the approximation error in the parameter space into a perturbation in the feature space and alleviates the error by disturbing features. In experiments, lightweight black-box attacks with the proposed ETF achieve surprising results. For example, even if only 1 sample per category available, the attack success rate in lightweight black-box attacks is only about 3% lower than that of the black-box attacks with complete training data.
Original languageEnglish
Title of host publicationNIPS '22: Proceedings of the 36th International Conference on Neural Information Processing Systems
EditorsS. Koyejo, S. Mohamed, A. Agarwal, D. Belgrave, K. Cho, A. Oh
PublisherNeural Information Processing Systems Foundation
Pages19319-19331
Number of pages13
ISBN (Print)9781713871088
Publication statusPublished - 28 Nov 2022
Event36th Conference on Neural Information Processing Systems, NeurIPS 2022 - New Orleans Convention Center, New Orleans, United States
Duration: 28 Nov 20229 Dec 2022
https://neurips.cc/Conferences/2022
https://openreview.net/group?id=NeurIPS.cc/2022/Conference
https://proceedings.neurips.cc/paper_files/paper/2022

Publication series

NameAdvances in Neural Information Processing Systems
Volume35
ISSN (Print)1049-5258
NameNeurIPS Proceedings

Conference

Conference36th Conference on Neural Information Processing Systems, NeurIPS 2022
Country/TerritoryUnited States
CityNew Orleans
Period28/11/229/12/22
Internet address

Fingerprint

Dive into the research topics of 'Towards Lightweight Black-Box Attack Against Deep Neural Networks'. Together they form a unique fingerprint.

Cite this