TY - GEN
T1 - Towards Multiple Black-boxes Attack via Adversarial Example Generation Network
AU - Mingxing, Duan
AU - Li, Kenli
AU - Xie, Lingxi
AU - Tian, Qi
AU - Xiao, Bin
N1 - Funding Information:
This work was supported in part by the National Key-Research and Development Program of China under Grant No. 2020YFB2104003, in part by the National Outstanding Youth Science Program of National Natural Science Foundation of China under Grant 61625202, in part by the International Cooperation and Exchange Key Program of National Natural Science Foundation of China under Grant 61860206011, in part by the National Youth Science Program of National Natural Science Foundation of China under Grant 61902119, in part by the Open Fund of Science and Technology on Parallel and Distributed Processing Laboratory under Grant 6142110200205, in part by the Shenzhen Excellent Technological and Innovative Talent Training Foundation under Grant RCBS20200714114941176, and in part by the Project funded by China Postdoctoral Science Foundation under Grants 2019M652758 and 2019TQ0087. This paper is funded by the Hong Kong Scholars Program under Grants XJ2020032.
Publisher Copyright:
© 2021 ACM.
PY - 2021/10/17
Y1 - 2021/10/17
N2 - The current research on adversarial attacks aims at a single model while the research on attacking multiple models simultaneously is still challenging. In this paper, we propose a novel black-box attack method, referred to as MBbA, which can attack multiple black-boxes at the same time. By encoding input image and its target category into an associated space, each decoder seeks the appropriate attack areas from the image through the designed loss functions, and then generates effective adversarial examples. This process realizes end-to-end adversarial example generation without involving substitute models for the black-box scenario. On the other hand, adopting the adversarial examples generated by MBbA for adversarial training, the robustness of the attacked models are greatly improved. More importantly, those adversarial examples can achieve satisfactory attack performance, even if these black-box models are trained with the adversarial examples generated by other black-box attack methods, which show good transferability. Finally, extensive experiments show that compared with other state-of-the-art methods: (1) MBbA takes the least time to obtain the most effective attack effects in multi-black-box attack scenario. Furthermore, MBbA achieves the highest attack success rates in a single black-box attack scenario; (2) the adversarial examples generated by MBbA can effectively improve the robustness of the attacked models and exhibit good transferability.
AB - The current research on adversarial attacks aims at a single model while the research on attacking multiple models simultaneously is still challenging. In this paper, we propose a novel black-box attack method, referred to as MBbA, which can attack multiple black-boxes at the same time. By encoding input image and its target category into an associated space, each decoder seeks the appropriate attack areas from the image through the designed loss functions, and then generates effective adversarial examples. This process realizes end-to-end adversarial example generation without involving substitute models for the black-box scenario. On the other hand, adopting the adversarial examples generated by MBbA for adversarial training, the robustness of the attacked models are greatly improved. More importantly, those adversarial examples can achieve satisfactory attack performance, even if these black-box models are trained with the adversarial examples generated by other black-box attack methods, which show good transferability. Finally, extensive experiments show that compared with other state-of-the-art methods: (1) MBbA takes the least time to obtain the most effective attack effects in multi-black-box attack scenario. Furthermore, MBbA achieves the highest attack success rates in a single black-box attack scenario; (2) the adversarial examples generated by MBbA can effectively improve the robustness of the attacked models and exhibit good transferability.
KW - adversarial examples
KW - black-box attacks
KW - dnn
KW - multiple models
UR - http://www.scopus.com/inward/record.url?scp=85119334702&partnerID=8YFLogxK
U2 - 10.1145/3474085.3475542
DO - 10.1145/3474085.3475542
M3 - Conference article published in proceeding or book
AN - SCOPUS:85119334702
T3 - MM 2021 - Proceedings of the 29th ACM International Conference on Multimedia
SP - 264
EP - 272
BT - MM 2021 - Proceedings of the 29th ACM International Conference on Multimedia
PB - Association for Computing Machinery, Inc
T2 - 29th ACM International Conference on Multimedia, MM 2021
Y2 - 20 October 2021 through 24 October 2021
ER -