Metadata only
Datum
2024Typ
- Conference Paper
ETH Bibliographie
yes
Altmetrics
Abstract
Decision-based evasion attacks repeatedly query a black-box classifier to generate adversarial examples. Prior work measures the cost of such attacks by the total number of queries made to the classifier. We argue this metric is incomplete. Many security-critical machine learning systems aim to weed out "bad" data (e.g., malware, harmful content, etc). Queries to such systems carry a fundamentally asymmetric cost: flagged queries, i.e., queries detected as "bad" by the classifier come at a higher cost because they trigger additional security filters, e.g., usage throttling or account suspension. Yet, we find that existing decision-based attacks issue a large number of queries that would get flagged by a security-critical system, which likely renders them ineffective against such systems. We then design new attacks that reduce the number of flagged queries by 1.5-7.3x. While some of our attacks achieve this improvement at the cost of only a moderate increase in total (including non-flagged) queries, other attacks require significantly more total queries than prior attacks. We thus pose it as an open problem to build black-box attacks that are more effective under realistic cost metrics. Mehr anzeigen
Publikationsstatus
publishedExterne Links
Buchtitel
2024 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML)Seiten / Artikelnummer
Verlag
IEEEKonferenz
Thema
security; threat models; black-box adversarial examples; decision-based attacksZugehörige Publikationen und Daten
Is new version of: http://hdl.handle.net/20.500.11850/643915
ETH Bibliographie
yes
Altmetrics