DaST: Data-Free Substitute Training for Adversarial Attacks

Zhou, Mingyi; Wu, Jian; Liu, Yipeng; Liu, Shuaicheng; Zhu, Ce

doi:10.1109/cvpr42600.2020.00031

Cited by 105 publications

(86 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Recently, this topic has attracted attention in image classification [18,30,32,46] and text classification [20,31]. In this work, we show that model extraction attacks also pose a threat to sequential recommender systems.…”

Section: Introductionmentioning

confidence: 69%

Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction

Yue

Zeng

et al. 2021

Fifteenth ACM Conference on Recommender Systems

View full text Add to dashboard Cite

We investigate whether model extraction can be used to 'steal' the weights of sequential recommender systems, and the potential threats posed to victims of such attacks. This type of risk has attracted attention in image and text classification, but to our knowledge not in recommender systems. We argue that sequential recommender systems are subject to unique vulnerabilities due to the specific autoregressive regimes used to train them. Unlike many existing recommender attackers, which assume the dataset used to train the victim model is exposed to attackers, we consider a data-free setting, where training data are not accessible. Under this setting, we propose an API-based model extraction method via limited-budget synthetic data generation and knowledge distillation. We investigate state-of-the-art models for sequential recommendation and show their vulnerability under model extraction and downstream attacks.We perform attacks in two stages. (1) Model extraction: given different types of synthetic data and their labels retrieved from a black-box recommender, we extract the black-box model to a white-box model via distillation. (2) Downstream attacks: we attack the black-box model with adversarial samples generated by the white-box recommender. Experiments show the effectiveness of our data-free model extraction and downstream attacks on sequential recommenders in both profile pollution and data poisoning settings.

show abstract

Section: Introductionmentioning

confidence: 69%

Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction

Yue

Zeng

et al. 2021

Fifteenth ACM Conference on Recommender Systems

View full text Add to dashboard Cite

show abstract

“…In contrast to this, black-box attacks do not require directly knowing the model and trained parameters. Black-box attacks rely on alternative information like query access to the classifier [2], knowing the training dataset [1], or transferring adversarial examples from one trained classifier to another [9].…”

Section: Introductionmentioning

confidence: 99%

Back in Black: A Comparative Evaluation of Recent State-Of-The-Art Black-Box Attacks

Mahmood

Rathbun

et al. 2022

IEEE Access

View full text Add to dashboard Cite

The field of adversarial machine learning has experienced a near exponential growth in the amount of papers being produced since 2018. This massive information output has yet to be properly processed and categorized. In this paper, we seek to help alleviate this problem by systematizing the recent advances in adversarial machine learning black-box attacks since 2019. Our survey summarizes and categorizes 20 recent black-box attacks. We also present a new analysis for understanding the attack success rate with respect to the adversarial model used in each paper. Overall, our paper surveys a wide body of literature to highlight recent attack developments and organizes them into four attack categories: score based attacks, decision based attacks, transfer attacks and non-traditional attacks. Further, we provide a new mathematical framework to show exactly how attack results can fairly be compared. INDEX TERMSAdversarial machine learning, adversarial examples, adversarial defense, black-box attack, security, deep learning. Score based Attacks Attack Name Date Author qMeta 6-Jun-19 Du et al. [24] P-RGF 17-Jun-19 Cheng et al. [25] ZO-ADMM 26-Jul-19 Zhao et al. [26] TREMBA 17-Nov-19 Huang et al. [27] Square 29-Nov-19 Andriushchenko et al. [28] ZO-NGD 18-Feb-20 Zhao et al. [29] PPBA 8-May-20 Liu et al. [30] Decision based Attacks Attack Name Date Author qFool 26-Mar-19 Liu et al. [31] HSJA 3-Apr-19 Chen et al. [10] GeoDA 13-Mar-20 Rahmati et al. [32] QEBA 28-May-20 Li et al. [33] RayS 23-Jun-20 Chen et al. [34] SurFree 25-Nov-20 Maho et al. [12] NonLinear-BA 25-Feb-21 Li et al. [35] Transfer based Attacks Attack Name Date Author Adaptive 3-Oct-19 Mahmood et al. [22] DaST 28-Mar-20 Zhou et al. [9] PO-TI 13-Jun-20 Li et al. [23] Non-traditional Attacks Attack Name Date Author CornerSearch 11-Sep-19 Croce et al. [36] ColorFool 25-Nov-19 Shamsabadi et al. [38] Patch 12-Apr-20 Yang et al. [37]

show abstract

“…Based on gradient descent and L-norm optimization methods, Liu et al [6] first presented the method to exploit a malware-based visual detector to adversarial example attacks. Zhou et al [7] were the first to propose an alternative model for training adversarial attacks without real data.…”

Section: Introductionmentioning

confidence: 99%

A Survey on Adversarial Attack in the Age of Artificial Intelligence

Kong

Xue

Wang

et al. 2021

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

With the rapid evolution of the Internet, the application of artificial intelligence fields is more and more extensive, and the era of AI has come. At the same time, adversarial attacks in the AI field are also frequent. Therefore, the research into adversarial attack security is extremely urgent. An increasing number of researchers are working in this field. We provide a comprehensive review of the theories and methods that enable researchers to enter the field of adversarial attack. This article is according to the “Why? → What? → How?” research line for elaboration. Firstly, we explain the significance of adversarial attack. Then, we introduce the concepts, types, and hazards of adversarial attack. Finally, we review the typical attack algorithms and defense techniques in each application area. Facing the increasingly complex neural network model, this paper focuses on the fields of image, text, and malicious code and focuses on the adversarial attack classifications and methods of these three data types, so that researchers can quickly find their own type of study. At the end of this review, we also raised some discussions and open issues and compared them with other similar reviews.

show abstract

DaST: Data-Free Substitute Training for Adversarial Attacks

Cited by 105 publications

References 9 publications

Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction

Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction

Back in Black: A Comparative Evaluation of Recent State-Of-The-Art Black-Box Attacks

A Survey on Adversarial Attack in the Age of Artificial Intelligence

Contact Info

Product

Resources

About