Research On Black-box Adversarial Attack Techniques In Machine Learning

The massive amount of data and powerful computing power have led to the rapid development of machine learning technology,leading all industries to a new stage.The widespread use of machine learning techniques has raised concerns about their security,especially in security-sensitive areas.Unfortunately,current research has found that machine learning models are very fragile.In the field of computer vision,an attacker adds some subtle perturbations to the input samples to generate adversarial samples that are indistinguishable from the original images,causing the target model to misclassify them,i.e.,adversarial attack.In recent years,there have been many studies related to adversarial attacks which have very significant implications for practical applications.On the one hand,studies on the adversarial attack can reveal the vulnerability of machine learning models and deepen researchers’ understanding of machine learning models.On the other hand,adversarial samples can be used to evaluate the robustness of machine learning models and help researchers develop more robust models.However,existing attack methods still have shortcomings in terms of attack success rate,query efficiency and perturbation additions,and are susceptible to interference from defensive measures.This thesis focuses on the adversarial sample generation techniques in black-box scenarios from the perspective of attacks,and proposes a black-box soft labeling attack based on historical gradient prior and a black-box hard labeling attack based on decision boundaries for the above problems,respectively.Specifically,the work in this thesis is as follows.In the black-box soft labeling scenario,this thesis introduces a historical gradient prior in the process of zero-order gradient estimation to reduce the number of queries required for gradient estimation.Meanwhile,the strategy of gradient estimation is adaptively adjusted in the process of attack,and the gradient estimation algorithm is switched in the case of unsatisfied loss reduction to avoid large bias between the estimated gradient and the true gradient,which affects the effect of the attack.In terms of attack success rate and query efficiency,the scheme proposed in this thesis has more obvious advantages over the state-of-the-art attack schemes.In addition,the scheme has stronger robustness in the face of several powerful defenses which is verified in the experimental results.In the black-box hard labeling scenario,this thesis designs systematic initialization methods for untargeted and targeted attacks,respectively.The method provides a better initial point for the attack and avoid it from falling into a terrible local minimum.To further improve the efficiency of the attack,the transfer-based attack and the decision-based attack are combined.A set of local models is used as the reference model for the target model,and the ”prior gradient” of the reference model is used as the basis vector to tensor into a low-dimensional subspace to reduce the dimensionality of the search.Compared with previous attacks in the black-box hard labeling scenario,experimental results on multiple datasets show the advantages of the proposed attack in terms of the size of the perturbation and the success rate of the attacks.