Developing techniques for adversarial attack and defense is an important research field for establishing reliable machine learning and its applications. Many existing methods employ Gaussian random variables for exploring the data space to find the most adversarial (for attacking) or least adversarial (for defense) point. However, the Gaussian distribution is not necessarily the optimal choice when the exploration is required to follow the complicated structure that most real-world data distributions exhibit. In this paper, we investigate how statistics of random variables affect such random walk exploration. Specifically, we generalize the Boundary Attack, a state-of-the-art blackbox decision based attacking strategy, and propose the Lévy-Attack, where the random walk is driven by symmetric ?-stable random variables. Our experiments on MNIST and CIFAR10 datasets show that the Lévy-Attack explores the image data space more efficiently, and significantly improves the performance. Our results also give an insight into the recently found fact in the whitebox attacking scenario that the choice of the norm for measuring the amplitude of the adversarial patterns is essential.
Black-box decision based adversarial attack with symmetric ?-stable distribution
Kuruoglu EE;
2019
Abstract
Developing techniques for adversarial attack and defense is an important research field for establishing reliable machine learning and its applications. Many existing methods employ Gaussian random variables for exploring the data space to find the most adversarial (for attacking) or least adversarial (for defense) point. However, the Gaussian distribution is not necessarily the optimal choice when the exploration is required to follow the complicated structure that most real-world data distributions exhibit. In this paper, we investigate how statistics of random variables affect such random walk exploration. Specifically, we generalize the Boundary Attack, a state-of-the-art blackbox decision based attacking strategy, and propose the Lévy-Attack, where the random walk is driven by symmetric ?-stable random variables. Our experiments on MNIST and CIFAR10 datasets show that the Lévy-Attack explores the image data space more efficiently, and significantly improves the performance. Our results also give an insight into the recently found fact in the whitebox attacking scenario that the choice of the norm for measuring the amplitude of the adversarial patterns is essential.| File | Dimensione | Formato | |
|---|---|---|---|
|
prod_416262-doc_146694.pdf
solo utenti autorizzati
Descrizione: Black-Box Decision based Adversarial Attack with Symmetric ?-stable Distribution
Tipologia:
Versione Editoriale (PDF)
Dimensione
640.67 kB
Formato
Adobe PDF
|
640.67 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
|
prod_416262-doc_146735.pdf
accesso aperto
Descrizione: Black-Box Decision based Adversarial Attack with Symmetric ?-stable Distribution
Tipologia:
Versione Editoriale (PDF)
Dimensione
636.17 kB
Formato
Adobe PDF
|
636.17 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
