Poster: Adversaries Don't Care About Averages: Batch Attacks on Black-Box Classifiers


Abstract—We study black-box attacks on deep learning models where the adversary’s goal is to acquire a batch of adversarial examples while minimizing the total number of queries. Our basic hypotheses are that (1) there is high variance on the number of queries across different seed images and (2) there exist efficient strategies to identify images which require fewer queries. Hence, the cost of generating each adversarial example in a batch attack can be much less than the average attack cost by focusing resources on the easiest seeds. Our preliminary results on CNN models for CIFAR-10 dataset show that both hypotheses hold and that a simple greedy strategy can provide close to optimal performance, reducing the total cost to find batch of adversarial examples to less than 1/25 of the cost of a random search strategy when the attacker can select target seeds from a large pool of possible seeds.

In IEEE Symposium on Security and Privacy, 2018
Fnu Suya
Fnu Suya
MC2 Postdoctoral Fellow

My research interests include machine learning for security and trustworthy machine learning.