An efficient black-box attack in real-world scenarios
Project description/goals
This project studies black-box adversarial attacks against deep neural networks (DNNs), where the attacker can only access the query feedback returned by the attacked API, while other information such as model parameters or the training datasets are unknown. In order to protect the security of services which are provided by Tencent, it is necessary to research on black-box adversarial attacks. The proposed attack could be the baseline of security test, and we will design method to defense it.
Importance/impact, challenges/pain points
AI technology has been widely used in Tencent's products and services, such as face recognition, image recognition and other products provided by Tencent Cloud, which provide services to users in the form of API. However, malicious attackers can steal, cheat or leak models’ training data in a black-box attack. Once the attack is achieved, Tencent will suffer from incalculable economic and reputational losses. Therefore, in order to ensure the security of Tencent services, it is necessary to study efficient black-box attacks in real-world scenarios. In addition, the existing defenses have their own shortcomings, such as query, migration, query and migration combination.
Solution description
The solution is to develop an efficient black-box attack for real-world scenarios. First, we could map the simple normal distribution to a complex distribution. Then, we use the efficient training method on surrogate models. Finally, we transfer the mapping parameter to the model trained on surrogate models.
Key contribution/commercial implication
We developed a novel efficient black-box attack based on randomly sampled perturbations.
Next steps
In the next step, we intend to design a defense method to protect models against black-box attacks.
Collaborators/partners
Tencent
Team/contributors
Zeyu Qin PhD
Mingli Zhu PhD
Yaopei Zeng Mphil