The Space of Adversarial Strategies
Adversarial examples, inputs designed to induce worst-case behavior in machine learning models, have been extensively studied over the past decade. Yet, our understanding of this phenomenon stems from a rather fragmented pool of knowledge; at present, there are a handful of attacks, each with dispar...
Gespeichert in:
| Hauptverfasser: | , , , |
|---|---|
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | |
| container_volume | |
| creator | Sheatsley, Ryan Hoak, Blaine Pauley, Eric McDaniel, Patrick |
| description | Adversarial examples, inputs designed to induce worst-case behavior in
machine learning models, have been extensively studied over the past decade.
Yet, our understanding of this phenomenon stems from a rather fragmented pool
of knowledge; at present, there are a handful of attacks, each with disparate
assumptions in threat models and incomparable definitions of optimality. In
this paper, we propose a systematic approach to characterize worst-case (i.e.,
optimal) adversaries. We first introduce an extensible decomposition of attacks
in adversarial machine learning by atomizing attack components into surfaces
and travelers. With our decomposition, we enumerate over components to create
576 attacks (568 of which were previously unexplored). Next, we propose the
Pareto Ensemble Attack (PEA): a theoretical attack that upper-bounds attack
performance. With our new attacks, we measure performance relative to the PEA
on: both robust and non-robust models, seven datasets, and three extended
lp-based threat models incorporating compute costs, formalizing the Space of
Adversarial Strategies. From our evaluation we find that attack performance to
be highly contextual: the domain, model robustness, and threat model can have a
profound influence on attack efficacy. Our investigation suggests that future
studies measuring the security of machine learning should: (1) be
contextualized to the domain & threat models, and (2) go beyond the handful of
known attacks used today. |
| doi_str_mv | 10.48550/arxiv.2209.04521 |
| format | Article |
| fullrecord | <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_2209_04521</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2209_04521</sourcerecordid><originalsourceid>FETCH-LOGICAL-a671-fb5f321cae5cabc939f51bb9d9a6af7e7f6663c3216bd53a951b4327fffedb0c3</originalsourceid><addsrcrecordid>eNotzjsLwjAUBeAsDqL-ACcLzq15NKkZi_gCwcHu5Sa9VwsVJZWi_976mM5wDoePsangSbrUmi8gPOsukZLbhKdaiiGbFxeMTnfwGN0oyqsOQwuhhiY6PQI88FxjO2YDgqbFyT9HrNisi9UuPhy3-1V-iMFkIianSUnhAbUH562ypIVztrJggDLMyBijfD8xrtIKbN-mSmZEhJXjXo3Y7Hf7VZb3UF8hvMqPtvxq1RuJhTnY</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>The Space of Adversarial Strategies</title><source>arXiv.org</source><creator>Sheatsley, Ryan ; Hoak, Blaine ; Pauley, Eric ; McDaniel, Patrick</creator><creatorcontrib>Sheatsley, Ryan ; Hoak, Blaine ; Pauley, Eric ; McDaniel, Patrick</creatorcontrib><description>Adversarial examples, inputs designed to induce worst-case behavior in
machine learning models, have been extensively studied over the past decade.
Yet, our understanding of this phenomenon stems from a rather fragmented pool
of knowledge; at present, there are a handful of attacks, each with disparate
assumptions in threat models and incomparable definitions of optimality. In
this paper, we propose a systematic approach to characterize worst-case (i.e.,
optimal) adversaries. We first introduce an extensible decomposition of attacks
in adversarial machine learning by atomizing attack components into surfaces
and travelers. With our decomposition, we enumerate over components to create
576 attacks (568 of which were previously unexplored). Next, we propose the
Pareto Ensemble Attack (PEA): a theoretical attack that upper-bounds attack
performance. With our new attacks, we measure performance relative to the PEA
on: both robust and non-robust models, seven datasets, and three extended
lp-based threat models incorporating compute costs, formalizing the Space of
Adversarial Strategies. From our evaluation we find that attack performance to
be highly contextual: the domain, model robustness, and threat model can have a
profound influence on attack efficacy. Our investigation suggests that future
studies measuring the security of machine learning should: (1) be
contextualized to the domain & threat models, and (2) go beyond the handful of
known attacks used today.</description><identifier>DOI: 10.48550/arxiv.2209.04521</identifier><language>eng</language><subject>Computer Science - Cryptography and Security ; Computer Science - Learning</subject><creationdate>2022-09</creationdate><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,780,885</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/2209.04521$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.2209.04521$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Sheatsley, Ryan</creatorcontrib><creatorcontrib>Hoak, Blaine</creatorcontrib><creatorcontrib>Pauley, Eric</creatorcontrib><creatorcontrib>McDaniel, Patrick</creatorcontrib><title>The Space of Adversarial Strategies</title><description>Adversarial examples, inputs designed to induce worst-case behavior in
machine learning models, have been extensively studied over the past decade.
Yet, our understanding of this phenomenon stems from a rather fragmented pool
of knowledge; at present, there are a handful of attacks, each with disparate
assumptions in threat models and incomparable definitions of optimality. In
this paper, we propose a systematic approach to characterize worst-case (i.e.,
optimal) adversaries. We first introduce an extensible decomposition of attacks
in adversarial machine learning by atomizing attack components into surfaces
and travelers. With our decomposition, we enumerate over components to create
576 attacks (568 of which were previously unexplored). Next, we propose the
Pareto Ensemble Attack (PEA): a theoretical attack that upper-bounds attack
performance. With our new attacks, we measure performance relative to the PEA
on: both robust and non-robust models, seven datasets, and three extended
lp-based threat models incorporating compute costs, formalizing the Space of
Adversarial Strategies. From our evaluation we find that attack performance to
be highly contextual: the domain, model robustness, and threat model can have a
profound influence on attack efficacy. Our investigation suggests that future
studies measuring the security of machine learning should: (1) be
contextualized to the domain & threat models, and (2) go beyond the handful of
known attacks used today.</description><subject>Computer Science - Cryptography and Security</subject><subject>Computer Science - Learning</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNotzjsLwjAUBeAsDqL-ACcLzq15NKkZi_gCwcHu5Sa9VwsVJZWi_976mM5wDoePsangSbrUmi8gPOsukZLbhKdaiiGbFxeMTnfwGN0oyqsOQwuhhiY6PQI88FxjO2YDgqbFyT9HrNisi9UuPhy3-1V-iMFkIianSUnhAbUH562ypIVztrJggDLMyBijfD8xrtIKbN-mSmZEhJXjXo3Y7Hf7VZb3UF8hvMqPtvxq1RuJhTnY</recordid><startdate>20220909</startdate><enddate>20220909</enddate><creator>Sheatsley, Ryan</creator><creator>Hoak, Blaine</creator><creator>Pauley, Eric</creator><creator>McDaniel, Patrick</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20220909</creationdate><title>The Space of Adversarial Strategies</title><author>Sheatsley, Ryan ; Hoak, Blaine ; Pauley, Eric ; McDaniel, Patrick</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a671-fb5f321cae5cabc939f51bb9d9a6af7e7f6663c3216bd53a951b4327fffedb0c3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><topic>Computer Science - Cryptography and Security</topic><topic>Computer Science - Learning</topic><toplevel>online_resources</toplevel><creatorcontrib>Sheatsley, Ryan</creatorcontrib><creatorcontrib>Hoak, Blaine</creatorcontrib><creatorcontrib>Pauley, Eric</creatorcontrib><creatorcontrib>McDaniel, Patrick</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Sheatsley, Ryan</au><au>Hoak, Blaine</au><au>Pauley, Eric</au><au>McDaniel, Patrick</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>The Space of Adversarial Strategies</atitle><date>2022-09-09</date><risdate>2022</risdate><abstract>Adversarial examples, inputs designed to induce worst-case behavior in
machine learning models, have been extensively studied over the past decade.
Yet, our understanding of this phenomenon stems from a rather fragmented pool
of knowledge; at present, there are a handful of attacks, each with disparate
assumptions in threat models and incomparable definitions of optimality. In
this paper, we propose a systematic approach to characterize worst-case (i.e.,
optimal) adversaries. We first introduce an extensible decomposition of attacks
in adversarial machine learning by atomizing attack components into surfaces
and travelers. With our decomposition, we enumerate over components to create
576 attacks (568 of which were previously unexplored). Next, we propose the
Pareto Ensemble Attack (PEA): a theoretical attack that upper-bounds attack
performance. With our new attacks, we measure performance relative to the PEA
on: both robust and non-robust models, seven datasets, and three extended
lp-based threat models incorporating compute costs, formalizing the Space of
Adversarial Strategies. From our evaluation we find that attack performance to
be highly contextual: the domain, model robustness, and threat model can have a
profound influence on attack efficacy. Our investigation suggests that future
studies measuring the security of machine learning should: (1) be
contextualized to the domain & threat models, and (2) go beyond the handful of
known attacks used today.</abstract><doi>10.48550/arxiv.2209.04521</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | DOI: 10.48550/arxiv.2209.04521 |
| ispartof | |
| issn | |
| language | eng |
| recordid | cdi_arxiv_primary_2209_04521 |
| source | arXiv.org |
| subjects | Computer Science - Cryptography and Security Computer Science - Learning |
| title | The Space of Adversarial Strategies |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-02T22%3A41%3A34IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=The%20Space%20of%20Adversarial%20Strategies&rft.au=Sheatsley,%20Ryan&rft.date=2022-09-09&rft_id=info:doi/10.48550/arxiv.2209.04521&rft_dat=%3Carxiv_GOX%3E2209_04521%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |