OAI 3

Questions and Answers

What is the primary objective of the surrogate diversity approach in increasing transferability?

• To find a surrogate model that closely approximates the unknown target model
• To train multiple substitute models on different subsets of the training data
• To find a single substitute model that can evade all defenses against adversarial attacks
• To ensemble multiple surrogate models with varying decision boundaries (correct)

In the ensemble approach for increasing transferability, what is the objective function being minimized?

• The sum of losses across all surrogate models for the perturbed input (correct)
• The maximum loss across all surrogate models for the perturbed input
• The average loss across all surrogate models for the perturbed input
• The minimum loss across all surrogate models for the perturbed input

What is the significance of the constraint $\delta < \epsilon$ in the ensemble approach?

• It ensures that the perturbation is large enough to fool all surrogate models
• It ensures that the perturbation is transferable to the unknown target model
• It ensures that the perturbation does not significantly change the predicted class
• It ensures that the perturbation is small enough to be imperceptible to humans (correct)

Which of the following statements is true about the ensemble of surrogate models in the transferability approach?

Each surrogate model has a similar but slightly varying decision boundary (D)

In the context of adversarial attacks, what is the advantage of using an ensemble of surrogate models over a single surrogate model?

It increases the transferability of the adversarial examples to the unknown target model (A)

What is the main advantage of using the ZOO (subspace attack) approach?

It combines white-box attacks on a substitute model with black-box attacks on the victim. (C)

In the context of black-box attacks, what is the purpose of using a surrogate model?

To create a substitute model that approximates the victim's decision boundaries. (A)

What is the key advantage of the SIMBA approach compared to the ZOO approach?

It incorporates a more efficient optimization technique for black-box attacks. (A)

In the context of data-free substitute training, what is the purpose of the ODS (Output Diversified Sampling) technique?

To diversify the output predictions of the substitute model. (C)

Which of the following statements best describes the concept of transferability in the context of adversarial attacks?

The ability of an adversarial example to fool multiple models with different architectures. (D)

Why is using a larger perturbation recommended in maximum-confidence attacks?

To introduce noise that aids in better transfer of adversarial examples (D)

According to Ziv Katzir et al., what crucial factor affects the resulting guarantee of transferability?

The choice of random seed for initializing parameters (D)

In increasing transferability approaches, what is one way to generate more diverse samples for better transferability?

Optimizing over diverse inputs (C)

What is one key strategy for estimating the best image to use in the context of increasing transferability?

Performing ranking based on estimated image quality (D)

Which approach is recommended for optimizing over diverse architectures in the context of increasing transferability?

Utilizing a more generic model for sample generation (B)

What is the key characteristic of the No Query Access attack scenario described in the text?

The adversary uses an open source dataset similar to the training data of the victim model. (A)

What is the main purpose of the adversary creating a substitute model $f(x)$ in the transfer-based attack process described?

To generate adversarial examples that are likely to transfer to the victim model. (D)

Which of the following attack scenarios described in the text requires the most queries to the victim model?

Unbounded Query Access (A)

In the context of transfer-based attacks, what is the purpose of the whitebox attack performed on the substitute model $ ext{f}(x)$?

To generate adversarial examples that are likely to transfer to the victim model. (B)

What is the key advantage of the data-free substitute training (DaST) approach described in the text?

It allows the adversary to create a substitute model without accessing the victim model's training data. (D)

What is the key motivation behind estimating gradients in black-box attacks?

To compute the gradient of the loss function with respect to the input features (B)

In the zero-th order gradient estimation approach, how is the gradient approximated for a single feature $x_i$?

$\frac{\partial \mathcal{L}}{\partial x_i} \approx \frac{\mathcal{L}(x_i + h) - \mathcal{L}(x_i - h)}{2h}$ (B)

How does the zero-th order gradient estimation approach differ from the first-order gradient approach?

The zero-th order approach requires evaluating the loss function at $x_i + h$ and $x_i - h$, while the first-order approach requires computing the derivative $\frac{\partial \mathcal{L}}{\partial x_i}$ (D)

Which of the following is a key challenge in using a substitute model for black-box attacks?

Ensuring the attack is transferable from the substitute model to the target model (C)

What is a key advantage of the ZOO attack compared to attacks that require training a substitute model?

The ZOO attack does not require any access to the target model's training data (D)

What is the goal of the TIMI attack in terms of input diversity?

Produce a perturbation 𝛿 for 𝑥 such that 𝑓 𝑇 𝑥 +𝛿 ≠ 𝑦 (C)

How does the TIMI attack address the input diversity problem?

By applying random transformations to the features in 𝑥 (D)

What does 'invariant' mean in the context of the TIMI attack?

Unaffected by transformations (A)

How is the concept of 'image shift augmentations' utilized in shortcutting the TIMI attack?

Applying shifts to the gradient of input images (B)

What role does the concept of 'Whitebox attack on substitute model' play in evading defenses in adversarial attacks?

Generating adversarial examples that transfer effectively across models (B)

What is the main focus when creating a substitute model for adversarial attacks?

Achieving a similar decision boundary as the original model (B)

How does 'Data-free substitute training' impact the process of generating adversarial examples?

Allows for the creation of adversarial examples without accessing training data (A)

'Query access' in adversarial attacks refers to:

'Greybox' access where some information about the model is known (D)

'Universal Adversarial Perturbation (UAP)' differs from traditional perturbations by:

Remaining consistent across different images and classes (B)

Which of the following statements about the ZOO attack is true?

It uses a stochastic coordinate descent approach to optimize a random feature in each iteration. (D)

What is the main challenge with the ZOO attack on large input dimensions like ImageNet?

The attack requires too many queries, making it impractical and non-covert. (A)

Which of the following is NOT a strategy used in the ZOO attack?

Whitebox attack on a substitute model (A)

What is the advantage of the hierarchical attack strategy in the ZOO attack?

It optimizes groups of features and gradually increases the resolution when the loss converges. (D)

Which of the following statements about the ZOO attack is NOT true?

It can be used to create a substitute model for a target model without access to its training data. (C)

What iterative process is described in the Square Attack method for black-box adversarial attacks?

Adding transparent squares randomly to the image until classification changes

In the Square Attack method, what action is taken if adding a square to the image does not reduce the loss?

Remove the square and loop back to the beginning of the iterative process

What is the key strategy in the Square Attack method to improve convergence over time?

Gradually reducing square size

What is the primary difference between A Priori Attacks and Priori Attacks in the context of black-box adversarial attacks?

A Priori Attacks utilize knowledge about the model, while Priori Attacks involve querying the model and adapting

What is the main objective of the Subspace Attack method in black-box adversarial attacks?

Exploiting promising subspaces for query-efficient attacks

Explain the significance of the Hierarchical Attack Approach in the ZOO Attack strategy.

The Hierarchical Attack Approach groups coordinates together to optimize, gradually decreasing group size to increase resolution when loss converges.

In the context of black-box attacks, what is the main challenge with the ZOO Attack on large input dimensions like ImageNet?

The main challenge is that a successful attack requires many iterations, leading to a high number of queries which can make the attack impractical or non-covert.

How does the Stochastic Coordinate Descent Approach contribute to the ZOO Attack strategy?

For each iteration, it selects a random coordinate to optimize, converging faster due to the stochastic nature of the optimization process.

What is the primary challenge when using the ZOO Attack in terms of query efficiency?

The challenge is that one iteration of the ZOO Attack requires a high number of queries on the model, making it computationally expensive and time-consuming.

Explain the importance of the Zeroth Order Optimization (ZOO) approach in black-box adversarial attacks.

The ZOO approach allows for attacking deep neural networks without requiring training substitute models, making it a powerful and efficient method for generating adversarial examples.

Explain the difference between SIMBA and Square Attack in terms of their approaches to black-box adversarial attacks.

SIMBA uses simple black-box attacks with Cartesian and Discreet Cosine Transform bases, while Square Attack utilizes a query-efficient random search based approach for images only.

How does the concept of DCT basis contribute to the understanding of adversarial attacks?

DCT basis breaks down signals, including images, into sine wave patterns which can be manipulated to create adversarial examples.

What is the main advantage of Square Attack over SIMBA in the context of black-box adversarial attacks?

Square Attack is more effective than SIMBA because it leverages spatial context in images, making it a query-efficient approach.

How does the use of different bases, such as Cartesian and Discreet Cosine Transform, impact the success of black-box adversarial attacks?

Using different bases allows for targeted manipulations in specific patterns, enhancing the effectiveness of adversarial attacks.

Explain the motivation behind Square Attack's emphasis on spatial context in images for adversarial attacks.

Square Attack focuses on spatial context to create more effective adversarial examples by leveraging the relationships between pixels.

Explain the difference between Priori and A Priori attacks in the context of adversarial attacks.

Priori attacks involve knowing something about the function before the attack, while A Priori attacks involve knowing something about the function during the attack.

What is the concept of transferability in the context of adversarial attacks?

Transferability refers to the ability of adversarial examples to fool multiple models, indicating common decision boundaries.

How do Transfer-based attacks leverage the concept of transferability to generate adversarial examples?

Transfer-based attacks exploit the transferability of adversarial examples to fool multiple models and increase attack success rates.

Explain the mechanism of Transfer-based Attacks in the context of adversarial attacks.

Transfer-based Attacks involve selecting adversarial examples that successfully fool one model and using them against another model to increase attack success rates.

What role does the concept of Whitebox attack on substitute model play in evading defenses in adversarial attacks?

Whitebox attack on substitute model helps in generating adversarial examples by approximating gradients, even in black-box scenarios, thus evading detection and defenses.

Explain the concept of black-box attacks in adversarial machine learning.

Black-box attacks involve targeting a model whose internal workings are unknown to the attacker, requiring query access to the model for crafting adversarial examples.

What is the key advantage of a decision-based attack over other types of attacks in black-box adversarial settings?

It requires less assumptions, making it stronger.

What is the primary objective of recent developments in decision-based attacks?

To reduce the number of queries needed for a successful attack and minimize noise levels in adversarial examples.

What is the key strategy behind a query-efficient attack?

The key strategy involves minimizing the number of queries made to the target model while still achieving successful adversarial perturbations.

In the boundary attack approach, what is the initial step involving the adversarial input?

Start with a random noise as the initial adversarial input.

Describe the subspace attack approach in adversarial machine learning.

The subspace attack method involves perturbing the input data within a reduced-dimensional subspace to generate adversarial examples.

What is the mechanism behind the boundary attack approach to adversarial attacks?

Iteratively shift the input closer to the decision boundary of the classifier.

What is the primary concept behind random search in adversarial attacks?

Random search involves exploring the input space randomly to find perturbations that lead to misclassification by the target model.

What distinguishes a decision-based attack from other types of black-box adversarial attacks?

It focuses on iteratively modifying inputs based solely on the hard label output of the classifier.

How does image classification play a role in adversarial machine learning?

Image classification is a common domain for adversarial attacks, where small perturbations to images can lead to misclassification by machine learning models.

What is the key goal of the TIMI attack in terms of input diversity?

To make a perturbation that changes the prediction, while keeping the features of the input unchanged

How does the TIMI attack address the input diversity problem?

By applying random transformations to the features of the input

What is the main focus when creating a substitute model for adversarial attacks?

To mimic the behavior of the target model as closely as possible

How does 'Data-free substitute training' impact the process of generating adversarial examples?

It reduces the need for direct access to the target model's training data

What is the key advantage of the hierarchical attack strategy in the ZOO attack?

It allows for more efficient exploration of the input space

What is the significance of the constraint in the ensemble approach for increasing transferability?

It ensures that the perturbation magnitude is limited

What role does the concept of 'Whitebox attack on substitute model' play in evading defenses in adversarial attacks?

It helps to craft transferable adversarial examples by exploiting the substitute model's vulnerabilities

In the context of adversarial attacks, what is the advantage of using an ensemble of surrogate models over a single surrogate model?

It increases the diversity and effectiveness of the generated adversarial examples

What is the primary objective of the surrogate diversity approach in increasing transferability?

To enhance the generalization of adversarial examples across different models

What is the advantage of the hierarchical attack strategy in the ZOO attack?

It allows for more targeted exploration of the input dimensions

Flashcards

Surrogate Diversity Objective

Ensembling surrogate models with varying decision boundaries to increase transferability.

Ensemble Objective Function

Minimizing the sum of losses across all surrogate models for a perturbed input.

Perturbation Constraint: δ < ϵ

Ensuring the perturbation is small enough to be imperceptible to humans.

Ensemble Model Variation

Each surrogate model has a similar but slightly varying decision boundary.

Advantage of Ensemble Models

Increased transferability of adversarial examples to unknown target models.

ZOO Attack Advantage

Combines white-box attacks on a substitute model with black-box attacks on the victim.

Surrogate Model Purpose

To create a substitute model that approximates the victim's decision boundaries.

SIMBA Advantage

It incorporates a more efficient optimization technique.

ODS Technique Purpose

To diversify the output predictions of the substitute model.

Transferability

The ability of an adversarial example to fool multiple models with different architectures.

Larger Perturbation Recommendation

To introduce noise that aids in better transfer of adversarial examples.

Crucial Factor for Transferability

The choice of random seed for initializing parameters.

Generating Diverse Samples

Optimizing over diverse inputs.

Estimating Best Image

Performing ranking based on estimated image quality.

Optimizing over Diverse Architectures

Utilizing a more generic model for sample generation.

No Query Access Attack

The adversary uses an open source dataset similar to the training data of the victim model.

Purpose of Substitute Model

To generate adversarial examples that are likely to transfer to the victim model.

Attack Scenario Requiring Most Queries

Unbounded Query Access

Purpose of Whitebox Attack

To generate adversarial examples that are likely to transfer to the victim model.

Advantage of Data-Free Substitute Training

It allows the adversary to create a substitute model without accessing the victim model's training data.

Motivation Behind Gradient Estimation

To compute the gradient of the loss function with respect to the input features

Zero-th Order Gradient Estimation

Approximating gradient using loss at slightly changed inputs

Difference in Gradient Approaches

One uses function evaluations, the other computes derivatives

Challenge of Substitute Models

Ensuring attack is transferable from substitute to target

Advantage of ZOO Attack

Does not require access to the target model's training data

Goal of TIMI attack

Produce a perturbation 𝛿 for 𝑥 such that 𝑓 𝑇 𝑥 +𝛿 ≠ 𝑦

How TIMI addresses input diversity problem

By applying transformations on dataset

Meaning of 'invariant' in TIMI

Being unaffected by transformation

Concept of 'image shift augmentations'

Applying shifts to the gradient of input images

Role of 'Whitebox attack'

Generating adversarial examples effective across models

Study Notes

• AISEC 2017 introduced the concept of ZOO (Zeroth Order Optimization) based Black-box Attacks to Deep Neural Networks without Training Substitute Models.
• ZOO Attack Challenge: Each iteration of ZOO requires 2𝑛 queries on the model, making it impractical due to the high number of required queries for successful attacks.
• ZOO Attack Strategy 1: Stochastic Coordinate Descent Approach involves selecting a random feature to optimize in each iteration, leading to faster convergence.
• ZOO Attack Strategy 2: Hierarchical Attack Approach involves attacking groups of coordinates together and gradually decreasing the group size to increase resolution as the loss converges.
• Transferability in attacks is influenced by the 𝝐 budget, with larger perturbations improving transferability, especially in maximum-confidence attacks.
• Increasing Transferability Approaches include generating samples using a more generic model, utilizing the entire epsilon budget, and generating samples with better transfer diversity through surrogate diversity and input diversity.
• Estimating Gradients is crucial in black-box attacks since there is no access to the model's parameters, requiring the estimation of gradients to perform attacks effectively.

Description

This quiz covers the process of adversarial attacks in machine learning, where adversaries exploit knowledge of the training data distribution to craft malicious inputs that deceive the models. Topics include training substitute models, whitebox attacks, and transferability of adversarial samples.