Abstract
Abstract—We study black-box attacks on deep learning models where the adversary’s goal is to acquire a batch of adversarial examples while minimizing the total number of queries. Our basic hypotheses are that (1) there is high variance on the number of queries across different seed images and (2) there exist efficient strategies to identify images which require fewer queries. Hence, the cost of generating each adversarial example in a batch attack can be much less than the average attack cost by focusing resources on the easiest seeds. Our preliminary results on CNN models for CIFAR-10 dataset show that both hypotheses hold and that a simple greedy strategy can provide close to optimal performance, reducing the total cost to find batch of adversarial examples to less than 1/25 of the cost of a random search strategy when the attacker can select target seeds from a large pool of possible seeds.
Fnu Suya
MC2 Postdoctoral Fellow
My research interests include machine learning for security and trustworthy machine learning.