research-article

Practical Black-Box Attacks against Machine Learning

Authors:

Nicolas Papernot,

Patrick McDaniel,

Ian Goodfellow,

Z. Berkay Celik,

Ananthram SwamiAuthors Info & Claims

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Pages 506 - 519

https://doi.org/10.1145/3052973.3053009

Published: 02 April 2017 Publication History

Abstract

Machine learning (ML) models, e.g., deep neural networks (DNNs), are vulnerable to adversarial examples: malicious inputs modified to yield erroneous model outputs, while appearing unmodified to human observers. Potential attacks include having malicious content like malware identified as legitimate or controlling vehicle behavior. Yet, all existing adversarial example attacks require knowledge of either the model internals or its training data. We introduce the first practical demonstration of an attacker controlling a remotely hosted DNN with no such knowledge. Indeed, the only capability of our black-box adversary is to observe labels given by the DNN to chosen inputs. Our attack strategy consists in training a local model to substitute for the target DNN, using inputs synthetically generated by an adversary and labeled by the target DNN. We use the local substitute to craft adversarial examples, and find that they are misclassified by the targeted DNN. To perform a real-world and properly-blinded evaluation, we attack a DNN hosted by MetaMind, an online deep learning API. We find that their DNN misclassifies 84.24% of the adversarial examples crafted with our substitute. We demonstrate the general applicability of our strategy to many ML techniques by conducting the same attack against models hosted by Amazon and Google, using logistic regression substitutes. They yield adversarial examples misclassified by Amazon and Google at rates of 96.19% and 88.94%. We also find that this black-box attack strategy is capable of evading defense strategies previously found to make adversarial example crafting harder.

References

[1]

Marco Barreno, et al. Can machine learning be secure? In Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security.

Digital Library

[2]

Battista Biggio, et al. Evasion attacks against machine learning at test time. In Machine Learning and Knowledge Discovery in Databases, pages 387--402. Springer, 2013.

[3]

Ian Goodfellow, et al. Deep learning. Book in preparation for MIT Press (www.deeplearningbook.org), 2016.

[4]

Ian J Goodfellow, et al. Explaining and harnessing adversarial examples. In Proceedings of the International Conference on Learning Representations, 2015.

[5]

Ling Huang, et al. Adversarial machine learning. In Proceedings of the 4th ACM workshop on Security and artificial intelligence, pages 43--58, 2011.

Digital Library

[6]

Alexey Kurakin, et al. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533, 2016.

[7]

Yann LeCun et al. The mnist database of handwritten digits, 1998.

[8]

Erich L. Lehmann, et al. Testing Statistical Hypotheses. Springer Texts in Statistics, August 2008.

[9]

Nicolas Papernot, et al. The limitations of deep learning in adversarial settings. In Proceedings of the 1st IEEE European Symposium on Security and Privacy, 2016.

[10]

Nicolas Papernot, et al. Distillation as a defense to adversarial perturbations against deep neural networks. In Proceedings of the 37th IEEE Symposium on Security and Privacy.

[11]

Mahmood Sharif, et al. Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016.

Digital Library

[12]

Nedim Srndic, et al. Practical evasion of a learning-based classifier: A case study. In Proceeding of the 35th IEEE Symposium on Security and Privacy.

Digital Library

[13]

Johannes Stallkamp, et al. Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural networks, 32:323--332, 2012.

Digital Library

[14]

Christian Szegedy, et al. Intriguing properties of neural networks. In Proceedings of the International Conference on Learning Representations, 2014.

[15]

Florian Tramèr, et al. Stealing machine learning models via prediction apis. In 25th USENIX Security Symposium, 2016.

Digital Library

[16]

Jeffrey S Vitter. Random sampling with a reservoir. ACM Transactions on Mathematical Software, 1985.

Digital Library

[17]

D Warde-Farley, et al. Adversarial perturbations of deep neural networks. Advanced Structured Prediction, 2016.

[18]

Weilin Xu, et al. Automatically evading classifiers. In Proceedings of the 2016 Network and Distributed Systems Symposium.

Cited By

Sen JWaghela H(2025)Introductory Chapter: Text-Based Adversarial Attacks and DefenseData Privacy - Techniques, Applications, and Standards10.5772/intechopen.1008458Online publication date: 22-Jan-2025
https://doi.org/10.5772/intechopen.1008458
Li ZWu QZhang MWang LGe YWang G(2025)Stochastic Zeroth-Order Multi-Gradient Algorithm for Multi-Objective OptimizationMathematics10.3390/math1304062713:4(627)Online publication date: 14-Feb-2025
https://doi.org/10.3390/math13040627
Chen GZhang ZPeng YLi CLi T(2025)G&G Attack: General and Geometry-Aware Adversarial Attack on the Point CloudApplied Sciences10.3390/app1501044815:1(448)Online publication date: 6-Jan-2025
https://doi.org/10.3390/app15010448
Show More Cited By

Index Terms

Practical Black-Box Attacks against Machine Learning
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation

Recommendations

Fuzzing-based hard-label black-box attacks against machine learning models
Abstract
Machine learning models are vulnerable to adversarial examples. We study the most realistic hard-label black-box attacks in this paper. The main limitation of the existing attacks is that they need a large number of model queries, ...
Vulnerability assessment of machine learning based malware classification models
GECCO '19: Proceedings of the Genetic and Evolutionary Computation Conference Companion

The primary focus of the machine learning model is to train a system to achieve self-reliance. However, due to the absence of the inbuilt security functions the learning phase itself is not secured which allows attacker to exploit the security ...
Adversarial machine learning in IoT from an insider point of view
Abstract
With the rapid progress and significant successes in various applications, machine learning has been considered a crucial component in the Internet of Things ecosystem. However, machine learning models have recently been vulnerable to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

April 2017

952 pages

ISBN:9781450349444

DOI:10.1145/3052973

General Chairs:
Ramesh Karri
New York University, New York, USA
,
Ozgur Sinanoglu
New York University Abu Dhabi, UAE
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universität Darmstadt, Germany
,
Xun Yi
RMIT University, Australia

Copyright © 2017 ACM.

Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Army Research Laboratory

Conference

ASIA CCS '17

Sponsor:

SIGSAC

ASIA CCS '17: ACM Asia Conference on Computer and Communications Security

April 2 - 6, 2017

Abu Dhabi, United Arab Emirates

Acceptance Rates

ASIA CCS '17 Paper Acceptance Rate 67 of 359 submissions, 19%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2,103
Total Citations
View Citations
16,920
Total Downloads

Downloads (Last 12 months)918
Downloads (Last 6 weeks)107

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sen JWaghela H(2025)Introductory Chapter: Text-Based Adversarial Attacks and DefenseData Privacy - Techniques, Applications, and Standards10.5772/intechopen.1008458Online publication date: 22-Jan-2025
https://doi.org/10.5772/intechopen.1008458
Li ZWu QZhang MWang LGe YWang G(2025)Stochastic Zeroth-Order Multi-Gradient Algorithm for Multi-Objective OptimizationMathematics10.3390/math1304062713:4(627)Online publication date: 14-Feb-2025
https://doi.org/10.3390/math13040627
Chen GZhang ZPeng YLi CLi T(2025)G&G Attack: General and Geometry-Aware Adversarial Attack on the Point CloudApplied Sciences10.3390/app1501044815:1(448)Online publication date: 6-Jan-2025
https://doi.org/10.3390/app15010448
Manojava Bharadwaj Bhagavathula (2025)Securing the Generative Frontier: A Systematic Analysis of Training Data Poisoning and Prompt Engineering Vulnerabilities in Large Language ModelsInternational Journal of Scientific Research in Computer Science, Engineering and Information Technology10.32628/CSEIT25111215911:1(1765-1775)Online publication date: 7-Feb-2025
https://doi.org/10.32628/CSEIT251112159
Yusupova NBogdanov MSmetanina O(2025)Mitigating Risk in the Application of Machine Learning to the Diagnosis of Bronchopulmonary DiseasesScientific and Technical Information Processing10.3103/S014768822470040051:5(487-496)Online publication date: 21-Feb-2025
https://doi.org/10.3103/S0147688224700400
Kim SPark JSon YLee HWoo SLee MLee HSang HYon DRhee S(2025)Development and Validation of a Machine Learning Algorithm for Predicting Diabetes Retinopathy in Patients With Type 2 Diabetes: Algorithm Development StudyJMIR Medical Informatics10.2196/5810713(e58107-e58107)Online publication date: 7-Feb-2025
https://doi.org/10.2196/58107
Bhusal DRastogi N(2025)Adversarial Patterns: Building Robust Android Malware ClassifiersACM Computing Surveys10.1145/3717607Online publication date: 13-Feb-2025
https://doi.org/10.1145/3717607
Zha DBhat ZLai KYang FJiang ZZhong SHu X(2025)Data-centric Artificial Intelligence: A SurveyACM Computing Surveys10.1145/371111857:5(1-42)Online publication date: 24-Jan-2025
https://dl.acm.org/doi/10.1145/3711118
Tu JYang LCao J(2025)Distributed Machine Learning in Edge Computing: Challenges, Solutions and Future DirectionsACM Computing Surveys10.1145/370849557:5(1-37)Online publication date: 24-Jan-2025
https://dl.acm.org/doi/10.1145/3708495
Torre DChennamaneni AJo JVyas GSabrsula B(2025)Toward Enhancing Privacy Preservation of a Federated Learning CNN Intrusion Detection System in IoT: Method and Empirical StudyACM Transactions on Software Engineering and Methodology10.1145/369599834:2(1-48)Online publication date: 25-Jan-2025
https://dl.acm.org/doi/10.1145/3695998
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten