Delving into Transferable Adversarial Examples and Black-box Attacks

TL;DR

This paper conducts a large-scale study on the transferability of adversarial examples in deep neural networks, introduces ensemble-based methods to generate transferable targeted adversarial examples, and demonstrates their effectiveness against black-box systems.

Contribution

It is the first to analyze transferability on large models and datasets, and to generate targeted adversarial examples that transfer successfully using novel ensemble-based approaches.

Findings

Transferable non-targeted adversarial examples are easy to generate.

Targeted adversarial examples rarely transfer with their target labels using existing methods.

Ensemble-based approaches significantly improve transferability of targeted adversarial examples.

Abstract

An intriguing property of deep neural networks is the existence of adversarial examples, which can transfer among different architectures. These transferable adversarial examples may severely hinder deep neural network-based applications. Previous works mostly study the transferability using small scale datasets. In this work, we are the first to conduct an extensive study of the transferability over large models and a large scale dataset, and we are also the first to study the transferability of targeted adversarial examples with their target labels. We study both non-targeted and targeted adversarial examples, and show that while transferable non-targeted adversarial examples are easy to find, targeted adversarial examples generated using existing approaches almost never transfer with their target labels. Therefore, we propose novel ensemble-based approaches to generating transferable adversarial examples. Using such approaches, we observe a large proportion of targeted adversarial examples that are able to transfer with their target labels for the first time. We also present some geometric studies to help understanding the transferable adversarial examples. Finally, we show that the adversarial examples generated using ensemble-based approaches can successfully attack Clarifai.com, which is a black-box image classification system.