Evading Black-box Classifiers Without Breaking Eggs
dc.contributor.author
Debenedetti, Edoardo
dc.contributor.author
Carlini, Nicholas
dc.contributor.author
Tramèr, Florian
dc.date.accessioned
2024-07-29T13:58:53Z
dc.date.available
2024-07-29T05:32:16Z
dc.date.available
2024-07-29T13:53:38Z
dc.date.available
2024-07-29T13:58:53Z
dc.date.issued
2024
dc.identifier.isbn
979-8-3503-4950-4
en_US
dc.identifier.isbn
979-8-3503-4951-1
en_US
dc.identifier.other
10.1109/SaTML59370.2024.00027
en_US
dc.identifier.uri
http://hdl.handle.net/20.500.11850/685562
dc.description.abstract
Decision-based evasion attacks repeatedly query a black-box classifier to generate adversarial examples. Prior work measures the cost of such attacks by the total number of queries made to the classifier. We argue this metric is incomplete. Many security-critical machine learning systems aim to weed out "bad" data (e.g., malware, harmful content, etc). Queries to such systems carry a fundamentally asymmetric cost: flagged queries, i.e., queries detected as "bad" by the classifier come at a higher cost because they trigger additional security filters, e.g., usage throttling or account suspension. Yet, we find that existing decision-based attacks issue a large number of queries that would get flagged by a security-critical system, which likely renders them ineffective against such systems. We then design new attacks that reduce the number of flagged queries by 1.5-7.3x. While some of our attacks achieve this improvement at the cost of only a moderate increase in total (including non-flagged) queries, other attacks require significantly more total queries than prior attacks. We thus pose it as an open problem to build black-box attacks that are more effective under realistic cost metrics.
en_US
dc.language.iso
en
en_US
dc.publisher
IEEE
en_US
dc.subject
security
en_US
dc.subject
threat models
en_US
dc.subject
black-box adversarial examples
en_US
dc.subject
decision-based attacks
en_US
dc.title
Evading Black-box Classifiers Without Breaking Eggs
en_US
dc.type
Conference Paper
dc.date.published
2024-05-10
ethz.book.title
2024 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML)
en_US
ethz.pages.start
408
en_US
ethz.pages.end
424
en_US
ethz.event
IEEE Conference on Safe and Trustworthy Machine Learning (SaTML 2024)
en_US
ethz.event.location
Toronto, Canada
en_US
ethz.event.date
April 9-11, 2024
en_US
ethz.identifier.wos
ethz.publication.place
Piscataway, NJ
en_US
ethz.publication.status
published
en_US
ethz.relation.isNewVersionOf
20.500.11850/643915
ethz.date.deposited
2024-07-29T05:32:24Z
ethz.source
WOS
ethz.eth
yes
en_US
ethz.availability
Metadata only
en_US
ethz.rosetta.installDate
2024-07-29T13:54:13Z
ethz.rosetta.lastUpdated
2024-07-29T13:54:13Z
ethz.rosetta.exportRequired
true
ethz.rosetta.versionExported
true
ethz.COinS
ctx_ver=Z39.88-2004&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.atitle=Evading%20Black-box%20Classifiers%20Without%20Breaking%20Eggs&rft.date=2024&rft.spage=408&rft.epage=424&rft.au=Debenedetti,%20Edoardo&Carlini,%20Nicholas&Tram%C3%A8r,%20Florian&rft.isbn=979-8-3503-4950-4&979-8-3503-4951-1&rft.genre=proceeding&rft_id=info:doi/10.1109/SaTML59370.2024.00027&rft.btitle=2024%20IEEE%20Conference%20on%20Secure%20and%20Trustworthy%20Machine%20Learning%20(SaTML)
Files in this item
Files | Size | Format | Open in viewer |
---|---|---|---|
There are no files associated with this item. |
Publication type
-
Conference Paper [35284]