TY - GEN
T1 - QE-DBA
T2 - 2024 International Conference on Computing, Networking and Communications, ICNC 2024
AU - Zhang, Zhuosheng
AU - Ahmed, Noor
AU - Yu, Shucheng
N1 - Publisher Copyright:
© 2024 IEEE.
PY - 2024
Y1 - 2024
N2 - With the widespread popularity of mobile internet, an increasing number of IoT devices can use cloud services to invoke deep learning to accomplish computer vision tasks. Decision-based attacks (DBA), wherein attackers perturb inputs to spoof learning algorithms by observing solely the output labels, are a type of severe adversarial attacks against Deep Neural Networks (DNNs) that require minimal knowledge of attackers. Most existing DBA attacks rely on zeroth-order gradient estimation and require an excessive number (>20,000) of queries to converge. To better understand the attack, this paper presents an efficient DBA attack technique, namely QE-DBA, that greatly improves the query efficiency. We achieve this by introducing dimension reduction techniques and derivative-free optimization to the process of closest decision boundary search. In QE-DBA, we adopt the Gaussian process to model the distribution of decision boundary radius over a low-dimensional search space defined by perturbation generator functions. Bayesian Optimization is then leveraged to find the optimal direction. Experimental results on pre-trained ImageNet classifiers show that QE-DBA converges within 200 queries while the state-of-the-art DBA techniques using zeroth-order optimization need over 15,000 queries to achieve the same level of perturbation distortion.
AB - With the widespread popularity of mobile internet, an increasing number of IoT devices can use cloud services to invoke deep learning to accomplish computer vision tasks. Decision-based attacks (DBA), wherein attackers perturb inputs to spoof learning algorithms by observing solely the output labels, are a type of severe adversarial attacks against Deep Neural Networks (DNNs) that require minimal knowledge of attackers. Most existing DBA attacks rely on zeroth-order gradient estimation and require an excessive number (>20,000) of queries to converge. To better understand the attack, this paper presents an efficient DBA attack technique, namely QE-DBA, that greatly improves the query efficiency. We achieve this by introducing dimension reduction techniques and derivative-free optimization to the process of closest decision boundary search. In QE-DBA, we adopt the Gaussian process to model the distribution of decision boundary radius over a low-dimensional search space defined by perturbation generator functions. Bayesian Optimization is then leveraged to find the optimal direction. Experimental results on pre-trained ImageNet classifiers show that QE-DBA converges within 200 queries while the state-of-the-art DBA techniques using zeroth-order optimization need over 15,000 queries to achieve the same level of perturbation distortion.
KW - Adversarial Attack
KW - Bayesian Optimization
KW - Image Classification
KW - Internet of Things
UR - http://www.scopus.com/inward/record.url?scp=85197886403&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85197886403&partnerID=8YFLogxK
U2 - 10.1109/ICNC59896.2024.10555954
DO - 10.1109/ICNC59896.2024.10555954
M3 - Conference contribution
AN - SCOPUS:85197886403
T3 - 2024 International Conference on Computing, Networking and Communications, ICNC 2024
SP - 783
EP - 788
BT - 2024 International Conference on Computing, Networking and Communications, ICNC 2024
Y2 - 19 February 2024 through 22 February 2024
ER -