110 research outputs found
Towards the Transferable Audio Adversarial Attack via Ensemble Methods
In recent years, deep learning (DL) models have achieved significant progress
in many domains, such as autonomous driving, facial recognition, and speech
recognition. However, the vulnerability of deep learning models to adversarial
attacks has raised serious concerns in the community because of their
insufficient robustness and generalization. Also, transferable attacks have
become a prominent method for black-box attacks. In this work, we explore the
potential factors that impact adversarial examples (AEs) transferability in
DL-based speech recognition. We also discuss the vulnerability of different DL
systems and the irregular nature of decision boundaries. Our results show a
remarkable difference in the transferability of AEs between speech and images,
with the data relevance being low in images but opposite in speech recognition.
Motivated by dropout-based ensemble approaches, we propose random gradient
ensembles and dynamic gradient-weighted ensembles, and we evaluate the impact
of ensembles on the transferability of AEs. The results show that the AEs
created by both approaches are valid for transfer to the black box API.Comment: Submitted to Cybersecurity journal 202
Learning Transferable Adversarial Examples via Ghost Networks
Recent development of adversarial attacks has proven that ensemble-based
methods outperform traditional, non-ensemble ones in black-box attack. However,
as it is computationally prohibitive to acquire a family of diverse models,
these methods achieve inferior performance constrained by the limited number of
models to be ensembled.
In this paper, we propose Ghost Networks to improve the transferability of
adversarial examples. The critical principle of ghost networks is to apply
feature-level perturbations to an existing model to potentially create a huge
set of diverse models. After that, models are subsequently fused by
longitudinal ensemble. Extensive experimental results suggest that the number
of networks is essential for improving the transferability of adversarial
examples, but it is less necessary to independently train different networks
and ensemble them in an intensive aggregation way. Instead, our work can be
used as a computationally cheap and easily applied plug-in to improve
adversarial approaches both in single-model and multi-model attack, compatible
with residual and non-residual networks. By reproducing the NeurIPS 2017
adversarial competition, our method outperforms the No.1 attack submission by a
large margin, demonstrating its effectiveness and efficiency. Code is available
at https://github.com/LiYingwei/ghost-network.Comment: To appear in AAAI-2
- …