Transfer Attacks Revisited: A Large-Scale Empirical Study in Real Computer Vision Settings
METADATA ONLY
Loading...
Author / Producer
Date
2022
Publication Type
Conference Paper
ETH Bibliography
yes
Citations
Altmetric
METADATA ONLY
Data
Rights / License
Abstract
One intriguing property of adversarial attacks is their “transferability” – an adversarial example crafted with respect to one deep neural network (DNN) model is often found effective against other DNNs as well. Intensive research has been conducted on this phenomenon under simplistic controlled conditions. Yet, thus far there is still a lack of comprehensive understanding about transferability-based attacks (“transfer attacks”) in real-world environments.To bridge this critical gap, we conduct the first large-scale systematic empirical study of transfer attacks against major cloud-based MLaaS platforms, taking the components of a real transfer attack into account. The study leads to a number of interesting findings which are inconsistent to the existing ones, including: (i) Simple surrogates do not necessarily improve real transfer attacks. (ii) No dominant surrogate architecture is found in real transfer attacks. (iii) It is the gap between posterior (output of the softmax layer) rather than the gap between logit (so-called κ value) that increases transferability. Moreover, by comparing with prior works, we demonstrate that transfer attacks possess many previously unknown properties in real-world environments, such as (i) Model similarity is not a well-defined concept. (ii) L 2 norm of perturbation can generate high transferability without usage of gradient and is a more powerful source than L ∞ norm. We believe this work sheds light on the vulnerabilities of popular MLaaS platforms and points to a few promising research directions.
Permanent link
Publication status
published
External links
Editor
Book title
2022 IEEE Symposium on Security and Privacy (SP)
Journal / series
Volume
Pages / Article No.
1423 - 1439
Publisher
IEEE
Event
43rd IEEE Symposium on Security and Privacy (SP 2022)
Edition / version
Methods
Software
Geographic location
Date collected
Date created
Subject
Measurement; Privacy; Systematics; Perturbation methods; Web and internet services; Neural networks; Computer architecture