TY - GEN
T1 - Transfer Attacks Revisited
T2 - 43rd IEEE Symposium on Security and Privacy, SP 2022
AU - Mao, Yuhao
AU - Fu, Chong
AU - Wang, Saizhuo
AU - Ji, Shouling
AU - Zhang, Xuhong
AU - Liu, Zhenguang
AU - Zhou, Jun
AU - Liu, Alex X.
AU - Beyah, Raheem
AU - Wang, Ting
N1 - Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - One intriguing property of adversarial attacks is their 'transferability' - an adversarial example crafted with respect to one deep neural network (DNN) model is often found effective against other DNNs as well. Intensive research has been conducted on this phenomenon under simplistic controlled conditions. Yet, thus far there is still a lack of comprehensive understanding about transferability-based attacks ('transfer attacks') in real-world environments.To bridge this critical gap, we conduct the first large-scale systematic empirical study of transfer attacks against major cloud-based MLaaS platforms, taking the components of a real transfer attack into account. The study leads to a number of interesting findings which are inconsistent to the existing ones, including: (i) Simple surrogates do not necessarily improve real transfer attacks. (ii) No dominant surrogate architecture is found in real transfer attacks. (iii) It is the gap between posterior (output of the softmax layer) rather than the gap between logit (so-called ? value) that increases transferability. Moreover, by comparing with prior works, we demonstrate that transfer attacks possess many previously unknown properties in real-world environments, such as (i) Model similarity is not a well-defined concept. (ii) L2 norm of perturbation can generate high transferability without usage of gradient and is a more powerful source than L8 norm. We believe this work sheds light on the vulnerabilities of popular MLaaS platforms and points to a few promising research directions.1
AB - One intriguing property of adversarial attacks is their 'transferability' - an adversarial example crafted with respect to one deep neural network (DNN) model is often found effective against other DNNs as well. Intensive research has been conducted on this phenomenon under simplistic controlled conditions. Yet, thus far there is still a lack of comprehensive understanding about transferability-based attacks ('transfer attacks') in real-world environments.To bridge this critical gap, we conduct the first large-scale systematic empirical study of transfer attacks against major cloud-based MLaaS platforms, taking the components of a real transfer attack into account. The study leads to a number of interesting findings which are inconsistent to the existing ones, including: (i) Simple surrogates do not necessarily improve real transfer attacks. (ii) No dominant surrogate architecture is found in real transfer attacks. (iii) It is the gap between posterior (output of the softmax layer) rather than the gap between logit (so-called ? value) that increases transferability. Moreover, by comparing with prior works, we demonstrate that transfer attacks possess many previously unknown properties in real-world environments, such as (i) Model similarity is not a well-defined concept. (ii) L2 norm of perturbation can generate high transferability without usage of gradient and is a more powerful source than L8 norm. We believe this work sheds light on the vulnerabilities of popular MLaaS platforms and points to a few promising research directions.1
UR - http://www.scopus.com/inward/record.url?scp=85135892251&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85135892251&partnerID=8YFLogxK
U2 - 10.1109/SP46214.2022.9833783
DO - 10.1109/SP46214.2022.9833783
M3 - Conference contribution
AN - SCOPUS:85135892251
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 1423
EP - 1439
BT - Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 23 May 2022 through 26 May 2022
ER -