research-article

Practical Black-Box Attacks against Machine Learning

Authors:

Nicolas Papernot,

Patrick McDaniel,

Ian Goodfellow,

Z. Berkay Celik,

Ananthram SwamiAuthors Info & Claims

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Pages 506 - 519

https://doi.org/10.1145/3052973.3053009

Published: 02 April 2017 Publication History

Abstract

Machine learning (ML) models, e.g., deep neural networks (DNNs), are vulnerable to adversarial examples: malicious inputs modified to yield erroneous model outputs, while appearing unmodified to human observers. Potential attacks include having malicious content like malware identified as legitimate or controlling vehicle behavior. Yet, all existing adversarial example attacks require knowledge of either the model internals or its training data. We introduce the first practical demonstration of an attacker controlling a remotely hosted DNN with no such knowledge. Indeed, the only capability of our black-box adversary is to observe labels given by the DNN to chosen inputs. Our attack strategy consists in training a local model to substitute for the target DNN, using inputs synthetically generated by an adversary and labeled by the target DNN. We use the local substitute to craft adversarial examples, and find that they are misclassified by the targeted DNN. To perform a real-world and properly-blinded evaluation, we attack a DNN hosted by MetaMind, an online deep learning API. We find that their DNN misclassifies 84.24% of the adversarial examples crafted with our substitute. We demonstrate the general applicability of our strategy to many ML techniques by conducting the same attack against models hosted by Amazon and Google, using logistic regression substitutes. They yield adversarial examples misclassified by Amazon and Google at rates of 96.19% and 88.94%. We also find that this black-box attack strategy is capable of evading defense strategies previously found to make adversarial example crafting harder.

References

[1]

Marco Barreno, et al. Can machine learning be secure? In Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security.

Digital Library

[2]

Battista Biggio, et al. Evasion attacks against machine learning at test time. In Machine Learning and Knowledge Discovery in Databases, pages 387--402. Springer, 2013.

[3]

Ian Goodfellow, et al. Deep learning. Book in preparation for MIT Press (www.deeplearningbook.org), 2016.

[4]

Ian J Goodfellow, et al. Explaining and harnessing adversarial examples. In Proceedings of the International Conference on Learning Representations, 2015.

[5]

Ling Huang, et al. Adversarial machine learning. In Proceedings of the 4th ACM workshop on Security and artificial intelligence, pages 43--58, 2011.

Digital Library

[6]

Alexey Kurakin, et al. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533, 2016.

[7]

Yann LeCun et al. The mnist database of handwritten digits, 1998.

[8]

Erich L. Lehmann, et al. Testing Statistical Hypotheses. Springer Texts in Statistics, August 2008.

[9]

Nicolas Papernot, et al. The limitations of deep learning in adversarial settings. In Proceedings of the 1st IEEE European Symposium on Security and Privacy, 2016.

[10]

Nicolas Papernot, et al. Distillation as a defense to adversarial perturbations against deep neural networks. In Proceedings of the 37th IEEE Symposium on Security and Privacy.

[11]

Mahmood Sharif, et al. Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016.

Digital Library

[12]

Nedim Srndic, et al. Practical evasion of a learning-based classifier: A case study. In Proceeding of the 35th IEEE Symposium on Security and Privacy.

Digital Library

[13]

Johannes Stallkamp, et al. Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural networks, 32:323--332, 2012.

Digital Library

[14]

Christian Szegedy, et al. Intriguing properties of neural networks. In Proceedings of the International Conference on Learning Representations, 2014.

[15]

Florian Tramèr, et al. Stealing machine learning models via prediction apis. In 25th USENIX Security Symposium, 2016.

Digital Library

[16]

Jeffrey S Vitter. Random sampling with a reservoir. ACM Transactions on Mathematical Software, 1985.

Digital Library

[17]

D Warde-Farley, et al. Adversarial perturbations of deep neural networks. Advanced Structured Prediction, 2016.

[18]

Weilin Xu, et al. Automatically evading classifiers. In Proceedings of the 2016 Network and Distributed Systems Symposium.

Cited By

Qian XWang WJiang YXue XFu Y(2025)Dynamic Routing and Knowledge Re-Learning for Data-Free Black-Box AttackIEEE Transactions on Pattern Analysis and Machine Intelligence10.1109/TPAMI.2024.346995247:1(486-501)Online publication date: Jan-2025
https://doi.org/10.1109/TPAMI.2024.3469952
Zhou CWang YWang ZKang X(2025) -norm distortion-efficient adversarial attack Signal Processing: Image Communication10.1016/j.image.2024.117241131(117241)Online publication date: Feb-2025
https://doi.org/10.1016/j.image.2024.117241
Bruhns IBerndt SSander JEisenbarth T(2024)Slalom at the Carnival: Privacy-preserving Inference with Masks from Public KnowledgeIACR Communications in Cryptology10.62056/akp-49qgxqOnline publication date: 7-Oct-2024
https://doi.org/10.62056/akp-49qgxq
Show More Cited By

Index Terms

Practical Black-Box Attacks against Machine Learning
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation

Recommendations

Fuzzing-based hard-label black-box attacks against machine learning models
Abstract
Machine learning models are vulnerable to adversarial examples. We study the most realistic hard-label black-box attacks in this paper. The main limitation of the existing attacks is that they need a large number of model queries, ...
Vulnerability assessment of machine learning based malware classification models
GECCO '19: Proceedings of the Genetic and Evolutionary Computation Conference Companion

The primary focus of the machine learning model is to train a system to achieve self-reliance. However, due to the absence of the inbuilt security functions the learning phase itself is not secured which allows attacker to exploit the security ...
Adversarial machine learning in IoT from an insider point of view
Abstract
With the rapid progress and significant successes in various applications, machine learning has been considered a crucial component in the Internet of Things ecosystem. However, machine learning models have recently been vulnerable to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

April 2017

952 pages

ISBN:9781450349444

DOI:10.1145/3052973

General Chairs:
Ramesh Karri
New York University, New York, USA
,
Ozgur Sinanoglu
New York University Abu Dhabi, UAE
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universität Darmstadt, Germany
,
Xun Yi
RMIT University, Australia

Copyright © 2017 ACM.

Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Army Research Laboratory

Conference

ASIA CCS '17

Sponsor:

SIGSAC

ASIA CCS '17: ACM Asia Conference on Computer and Communications Security

April 2 - 6, 2017

Abu Dhabi, United Arab Emirates

Acceptance Rates

ASIA CCS '17 Paper Acceptance Rate 67 of 359 submissions, 19%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2,027
Total Citations
View Citations
16,718
Total Downloads

Downloads (Last 12 months)962
Downloads (Last 6 weeks)120

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Qian XWang WJiang YXue XFu Y(2025)Dynamic Routing and Knowledge Re-Learning for Data-Free Black-Box AttackIEEE Transactions on Pattern Analysis and Machine Intelligence10.1109/TPAMI.2024.346995247:1(486-501)Online publication date: Jan-2025
https://doi.org/10.1109/TPAMI.2024.3469952
Zhou CWang YWang ZKang X(2025) -norm distortion-efficient adversarial attack Signal Processing: Image Communication10.1016/j.image.2024.117241131(117241)Online publication date: Feb-2025
https://doi.org/10.1016/j.image.2024.117241
Bruhns IBerndt SSander JEisenbarth T(2024)Slalom at the Carnival: Privacy-preserving Inference with Masks from Public KnowledgeIACR Communications in Cryptology10.62056/akp-49qgxqOnline publication date: 7-Oct-2024
https://doi.org/10.62056/akp-49qgxq
Serbes DBaytaş İ(2024)Perturbation Augmentation for Adversarial Training with Diverse AttacksGazi University Journal of Science Part A: Engineering and Innovation10.54287/gujsa.145888011:2(274-288)Online publication date: 4-Jun-2024
https://doi.org/10.54287/gujsa.1458880
Mrs. Sangeetha G Mr. Bharath K Mr. Balamanikandan S Mr. Bharath G (2024)Adversarial Training and Robustness in Machine Learning FrameworksInternational Journal of Advanced Research in Science, Communication and Technology10.48175/IJARSCT-15935(198-201)Online publication date: 22-Mar-2024
https://doi.org/10.48175/IJARSCT-15935
Lakhani ARohit N(2024)Securing Machine Learning: Understanding Adversarial Attacks and Bias MitigationInternational Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24JUN1671(2316-2342)Online publication date: 11-Jul-2024
https://doi.org/10.38124/ijisrt/IJISRT24JUN1671
Srinivasan N(2024)Artificial Intelligence in IoT Security: Review of Advancements, Challenges, and Future DirectionsInternational Journal of Innovative Technology and Exploring Engineering10.35940/ijitee.G9911.1307062413:7(14-20)Online publication date: 30-Jun-2024
https://doi.org/10.35940/ijitee.G9911.13070624
Mei SLian JWang XSu YMa MChau L(2024)A Comprehensive Study on the Robustness of Deep Learning-Based Image Classification and Object Detection in Remote Sensing: Surveying and BenchmarkingJournal of Remote Sensing10.34133/remotesensing.02194Online publication date: 3-Oct-2024
https://doi.org/10.34133/remotesensing.0219
Aloraini FJaved ARana O(2024)Adversarial Attacks on Intrusion Detection Systems in In-Vehicle Networks of Connected and Autonomous VehiclesSensors10.3390/s2412384824:12(3848)Online publication date: 14-Jun-2024
https://doi.org/10.3390/s24123848
Luo PWang BTian JLiu CYang Y(2024)Adversarial Attacks against Deep-Learning-Based Automatic Dependent Surveillance-Broadcast Unsupervised Anomaly Detection Models in the Context of Air Traffic ManagementSensors10.3390/s2411358424:11(3584)Online publication date: 2-Jun-2024
https://doi.org/10.3390/s24113584
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents