Generalizable Black-Box Adversarial Attack With Meta Learning

In the scenario of black-box adversarial attack, the target model's parameters are unknown, and the attacker aims to find a successful adversarial perturbation based on query feedback under a query budget. Due to the limited feedback information, existing query-based black-box attack methods of...

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
Veröffentlicht in:	IEEE transactions on pattern analysis and machine intelligence 2024-03, Vol.46 (3), p.1804-1818
Hauptverfasser:	Yin, Fei, Zhang, Yong, Wu, Baoyuan, Feng, Yan, Zhang, Jingyi, Fan, Yanbo, Yang, Yujiu
Format:	Artikel
Sprache:	eng
Schlagworte:	Adaptation models Black boxes Black-box adversarial attack Closed box conditional distribution of perturbation example-level and model-level adversarial transferability Feedback Generators Glass box Learning meta learning Perturbation Perturbation methods Queries Source code Task analysis Training
Online-Zugang:	Volltext bestellen
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

container_end_page	1818
container_issue	3
container_start_page	1804
container_title	IEEE transactions on pattern analysis and machine intelligence
container_volume	46
creator	Yin, Fei Zhang, Yong Wu, Baoyuan Feng, Yan Zhang, Jingyi Fan, Yanbo Yang, Yujiu
description	In the scenario of black-box adversarial attack, the target model's parameters are unknown, and the attacker aims to find a successful adversarial perturbation based on query feedback under a query budget. Due to the limited feedback information, existing query-based black-box attack methods often require many queries for attacking each benign example. To reduce query cost, we propose to utilize the feedback information across historical attacks, dubbed example-level adversarial transferability. Specifically, by treating the attack on each benign example as one task, we develop a meta-learning framework by training a meta generator to produce perturbations conditioned on benign examples. When attacking a new benign example, the meta generator can be quickly fine-tuned based on the feedback information of the new task as well as a few historical attacks to produce effective perturbations. Moreover, since the meta-train procedure consumes many queries to learn a generalizable generator, we utilize model-level adversarial transferability to train the meta generator on a white-box surrogate model, then transfer it to help the attack against the target model. The proposed framework with the two types of adversarial transferability can be naturally combined with any off-the-shelf query-based attack methods to boost their performance, which is verified by extensive experiments. The source code is available at https://github.com/SCLBD/MCG-Blackbox .
doi_str_mv	10.1109/TPAMI.2022.3194988
format	Article
fullrecord	<record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_pubmed_primary_37021863</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10017370</ieee_id><sourcerecordid>2923126404</sourcerecordid><originalsourceid>FETCH-LOGICAL-c352t-41a64cba1adc715c2f12cdf8c28e03e796f743a4e24a5c58b3835e13da7355693</originalsourceid><addsrcrecordid>eNpdkMFKAzEQhoMotlZfQEQWvHjZmmSS3eTgoS1aCxU9VDyGNDurq9tdTbaiPr1bW0U8DQzf_zPzEXLIaJ8xqs9mt4PrSZ9TzvvAtNBKbZEu06BjkKC3SZeyhMdKcdUheyE8UcqEpLBLOpBSzlQCXXI-xgq9LYtPOy8xGpbWPcfD-j0aZG_og_WFLaNB07Tr6L5oHqNrbGw0ReuronrYJzu5LQMebGaP3F1ezEZX8fRmPBkNprEDyZtYMJsIN7fMZi5l0vGccZflynGFFDDVSZ4KsAK5sNJJNQcFEhlkNgUpEw09crruffH16xJDYxZFcFiWtsJ6GQxPdbr6TcsWPfmHPtVLX7XXGa45MJ4IKlqKrynn6xA85ubFFwvrPwyjZiXXfMs1K7lmI7cNHW-ql_MFZr-RH5stcLQGCkT800hZ2jLwBSNTe8E</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2923126404</pqid></control><display><type>article</type><title>Generalizable Black-Box Adversarial Attack With Meta Learning</title><source>IEEE Electronic Library (IEL)</source><creator>Yin, Fei ; Zhang, Yong ; Wu, Baoyuan ; Feng, Yan ; Zhang, Jingyi ; Fan, Yanbo ; Yang, Yujiu</creator><creatorcontrib>Yin, Fei ; Zhang, Yong ; Wu, Baoyuan ; Feng, Yan ; Zhang, Jingyi ; Fan, Yanbo ; Yang, Yujiu</creatorcontrib><description>In the scenario of black-box adversarial attack, the target model's parameters are unknown, and the attacker aims to find a successful adversarial perturbation based on query feedback under a query budget. Due to the limited feedback information, existing query-based black-box attack methods often require many queries for attacking each benign example. To reduce query cost, we propose to utilize the feedback information across historical attacks, dubbed example-level adversarial transferability. Specifically, by treating the attack on each benign example as one task, we develop a meta-learning framework by training a meta generator to produce perturbations conditioned on benign examples. When attacking a new benign example, the meta generator can be quickly fine-tuned based on the feedback information of the new task as well as a few historical attacks to produce effective perturbations. Moreover, since the meta-train procedure consumes many queries to learn a generalizable generator, we utilize model-level adversarial transferability to train the meta generator on a white-box surrogate model, then transfer it to help the attack against the target model. The proposed framework with the two types of adversarial transferability can be naturally combined with any off-the-shelf query-based attack methods to boost their performance, which is verified by extensive experiments. The source code is available at https://github.com/SCLBD/MCG-Blackbox .</description><identifier>ISSN: 0162-8828</identifier><identifier>EISSN: 1939-3539</identifier><identifier>EISSN: 2160-9292</identifier><identifier>DOI: 10.1109/TPAMI.2022.3194988</identifier><identifier>PMID: 37021863</identifier><identifier>CODEN: ITPIDJ</identifier><language>eng</language><publisher>United States: IEEE</publisher><subject>Adaptation models ; Black boxes ; Black-box adversarial attack ; Closed box ; conditional distribution of perturbation ; example-level and model-level adversarial transferability ; Feedback ; Generators ; Glass box ; Learning ; meta learning ; Perturbation ; Perturbation methods ; Queries ; Source code ; Task analysis ; Training</subject><ispartof>IEEE transactions on pattern analysis and machine intelligence, 2024-03, Vol.46 (3), p.1804-1818</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2024</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c352t-41a64cba1adc715c2f12cdf8c28e03e796f743a4e24a5c58b3835e13da7355693</citedby><cites>FETCH-LOGICAL-c352t-41a64cba1adc715c2f12cdf8c28e03e796f743a4e24a5c58b3835e13da7355693</cites><orcidid>0000-0003-0066-3448 ; 0000-0002-5146-7685 ; 0000-0003-2183-5990 ; 0000-0003-1909-6332 ; 0000-0002-8530-485X ; 0000-0002-6427-1024</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10017370$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,796,27924,27925,54758</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/10017370$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc><backlink>$$Uhttps://www.ncbi.nlm.nih.gov/pubmed/37021863$$D View this record in MEDLINE/PubMed$$Hfree_for_read</backlink></links><search><creatorcontrib>Yin, Fei</creatorcontrib><creatorcontrib>Zhang, Yong</creatorcontrib><creatorcontrib>Wu, Baoyuan</creatorcontrib><creatorcontrib>Feng, Yan</creatorcontrib><creatorcontrib>Zhang, Jingyi</creatorcontrib><creatorcontrib>Fan, Yanbo</creatorcontrib><creatorcontrib>Yang, Yujiu</creatorcontrib><title>Generalizable Black-Box Adversarial Attack With Meta Learning</title><title>IEEE transactions on pattern analysis and machine intelligence</title><addtitle>TPAMI</addtitle><addtitle>IEEE Trans Pattern Anal Mach Intell</addtitle><description>In the scenario of black-box adversarial attack, the target model's parameters are unknown, and the attacker aims to find a successful adversarial perturbation based on query feedback under a query budget. Due to the limited feedback information, existing query-based black-box attack methods often require many queries for attacking each benign example. To reduce query cost, we propose to utilize the feedback information across historical attacks, dubbed example-level adversarial transferability. Specifically, by treating the attack on each benign example as one task, we develop a meta-learning framework by training a meta generator to produce perturbations conditioned on benign examples. When attacking a new benign example, the meta generator can be quickly fine-tuned based on the feedback information of the new task as well as a few historical attacks to produce effective perturbations. Moreover, since the meta-train procedure consumes many queries to learn a generalizable generator, we utilize model-level adversarial transferability to train the meta generator on a white-box surrogate model, then transfer it to help the attack against the target model. The proposed framework with the two types of adversarial transferability can be naturally combined with any off-the-shelf query-based attack methods to boost their performance, which is verified by extensive experiments. The source code is available at https://github.com/SCLBD/MCG-Blackbox .</description><subject>Adaptation models</subject><subject>Black boxes</subject><subject>Black-box adversarial attack</subject><subject>Closed box</subject><subject>conditional distribution of perturbation</subject><subject>example-level and model-level adversarial transferability</subject><subject>Feedback</subject><subject>Generators</subject><subject>Glass box</subject><subject>Learning</subject><subject>meta learning</subject><subject>Perturbation</subject><subject>Perturbation methods</subject><subject>Queries</subject><subject>Source code</subject><subject>Task analysis</subject><subject>Training</subject><issn>0162-8828</issn><issn>1939-3539</issn><issn>2160-9292</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNpdkMFKAzEQhoMotlZfQEQWvHjZmmSS3eTgoS1aCxU9VDyGNDurq9tdTbaiPr1bW0U8DQzf_zPzEXLIaJ8xqs9mt4PrSZ9TzvvAtNBKbZEu06BjkKC3SZeyhMdKcdUheyE8UcqEpLBLOpBSzlQCXXI-xgq9LYtPOy8xGpbWPcfD-j0aZG_og_WFLaNB07Tr6L5oHqNrbGw0ReuronrYJzu5LQMebGaP3F1ezEZX8fRmPBkNprEDyZtYMJsIN7fMZi5l0vGccZflynGFFDDVSZ4KsAK5sNJJNQcFEhlkNgUpEw09crruffH16xJDYxZFcFiWtsJ6GQxPdbr6TcsWPfmHPtVLX7XXGa45MJ4IKlqKrynn6xA85ubFFwvrPwyjZiXXfMs1K7lmI7cNHW-ql_MFZr-RH5stcLQGCkT800hZ2jLwBSNTe8E</recordid><startdate>20240301</startdate><enddate>20240301</enddate><creator>Yin, Fei</creator><creator>Zhang, Yong</creator><creator>Wu, Baoyuan</creator><creator>Feng, Yan</creator><creator>Zhang, Jingyi</creator><creator>Fan, Yanbo</creator><creator>Yang, Yujiu</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>NPM</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>8FD</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>7X8</scope><orcidid>https://orcid.org/0000-0003-0066-3448</orcidid><orcidid>https://orcid.org/0000-0002-5146-7685</orcidid><orcidid>https://orcid.org/0000-0003-2183-5990</orcidid><orcidid>https://orcid.org/0000-0003-1909-6332</orcidid><orcidid>https://orcid.org/0000-0002-8530-485X</orcidid><orcidid>https://orcid.org/0000-0002-6427-1024</orcidid></search><sort><creationdate>20240301</creationdate><title>Generalizable Black-Box Adversarial Attack With Meta Learning</title><author>Yin, Fei ; Zhang, Yong ; Wu, Baoyuan ; Feng, Yan ; Zhang, Jingyi ; Fan, Yanbo ; Yang, Yujiu</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c352t-41a64cba1adc715c2f12cdf8c28e03e796f743a4e24a5c58b3835e13da7355693</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Adaptation models</topic><topic>Black boxes</topic><topic>Black-box adversarial attack</topic><topic>Closed box</topic><topic>conditional distribution of perturbation</topic><topic>example-level and model-level adversarial transferability</topic><topic>Feedback</topic><topic>Generators</topic><topic>Glass box</topic><topic>Learning</topic><topic>meta learning</topic><topic>Perturbation</topic><topic>Perturbation methods</topic><topic>Queries</topic><topic>Source code</topic><topic>Task analysis</topic><topic>Training</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Yin, Fei</creatorcontrib><creatorcontrib>Zhang, Yong</creatorcontrib><creatorcontrib>Wu, Baoyuan</creatorcontrib><creatorcontrib>Feng, Yan</creatorcontrib><creatorcontrib>Zhang, Jingyi</creatorcontrib><creatorcontrib>Fan, Yanbo</creatorcontrib><creatorcontrib>Yang, Yujiu</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>PubMed</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics & Communications Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>MEDLINE - Academic</collection><jtitle>IEEE transactions on pattern analysis and machine intelligence</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Yin, Fei</au><au>Zhang, Yong</au><au>Wu, Baoyuan</au><au>Feng, Yan</au><au>Zhang, Jingyi</au><au>Fan, Yanbo</au><au>Yang, Yujiu</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Generalizable Black-Box Adversarial Attack With Meta Learning</atitle><jtitle>IEEE transactions on pattern analysis and machine intelligence</jtitle><stitle>TPAMI</stitle><addtitle>IEEE Trans Pattern Anal Mach Intell</addtitle><date>2024-03-01</date><risdate>2024</risdate><volume>46</volume><issue>3</issue><spage>1804</spage><epage>1818</epage><pages>1804-1818</pages><issn>0162-8828</issn><eissn>1939-3539</eissn><eissn>2160-9292</eissn><coden>ITPIDJ</coden><abstract>In the scenario of black-box adversarial attack, the target model's parameters are unknown, and the attacker aims to find a successful adversarial perturbation based on query feedback under a query budget. Due to the limited feedback information, existing query-based black-box attack methods often require many queries for attacking each benign example. To reduce query cost, we propose to utilize the feedback information across historical attacks, dubbed example-level adversarial transferability. Specifically, by treating the attack on each benign example as one task, we develop a meta-learning framework by training a meta generator to produce perturbations conditioned on benign examples. When attacking a new benign example, the meta generator can be quickly fine-tuned based on the feedback information of the new task as well as a few historical attacks to produce effective perturbations. Moreover, since the meta-train procedure consumes many queries to learn a generalizable generator, we utilize model-level adversarial transferability to train the meta generator on a white-box surrogate model, then transfer it to help the attack against the target model. The proposed framework with the two types of adversarial transferability can be naturally combined with any off-the-shelf query-based attack methods to boost their performance, which is verified by extensive experiments. The source code is available at https://github.com/SCLBD/MCG-Blackbox .</abstract><cop>United States</cop><pub>IEEE</pub><pmid>37021863</pmid><doi>10.1109/TPAMI.2022.3194988</doi><tpages>15</tpages><orcidid>https://orcid.org/0000-0003-0066-3448</orcidid><orcidid>https://orcid.org/0000-0002-5146-7685</orcidid><orcidid>https://orcid.org/0000-0003-2183-5990</orcidid><orcidid>https://orcid.org/0000-0003-1909-6332</orcidid><orcidid>https://orcid.org/0000-0002-8530-485X</orcidid><orcidid>https://orcid.org/0000-0002-6427-1024</orcidid></addata></record>
fulltext	fulltext_linktorsrc
identifier	ISSN: 0162-8828
ispartof	IEEE transactions on pattern analysis and machine intelligence, 2024-03, Vol.46 (3), p.1804-1818
issn	0162-8828 1939-3539 2160-9292
language	eng
recordid	cdi_pubmed_primary_37021863
source	IEEE Electronic Library (IEL)
subjects	Adaptation models Black boxes Black-box adversarial attack Closed box conditional distribution of perturbation example-level and model-level adversarial transferability Feedback Generators Glass box Learning meta learning Perturbation Perturbation methods Queries Source code Task analysis Training
title	Generalizable Black-Box Adversarial Attack With Meta Learning
url	https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-27T02%3A34%3A52IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Generalizable%20Black-Box%20Adversarial%20Attack%20With%20Meta%20Learning&rft.jtitle=IEEE%20transactions%20on%20pattern%20analysis%20and%20machine%20intelligence&rft.au=Yin,%20Fei&rft.date=2024-03-01&rft.volume=46&rft.issue=3&rft.spage=1804&rft.epage=1818&rft.pages=1804-1818&rft.issn=0162-8828&rft.eissn=1939-3539&rft.coden=ITPIDJ&rft_id=info:doi/10.1109/TPAMI.2022.3194988&rft_dat=%3Cproquest_RIE%3E2923126404%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2923126404&rft_id=info:pmid/37021863&rft_ieee_id=10017370&rfr_iscdi=true