# Making targeted black-box evasion attacks effective and efficient

**Authors:** Mika Juuti, Buse Gul Atli, N. Asokan

arXiv: 1906.03397 · 2020-10-23

## TL;DR

This paper explores how to perform targeted black-box evasion attacks on neural networks efficiently by balancing query costs and attack success, introducing new strategies that drastically reduce query requirements.

## Contribution

It introduces two novel attack strategies that significantly lower query counts and demonstrates the effectiveness of adaptive attack techniques in real-world API scenarios.

## Key findings

- Achieved successful attacks with up to 1000x fewer queries.
- Demonstrated attacks on Google Cloud Vision requiring only ~500 queries.
- Showed the tradeoff between query efficiency and attack effectiveness.

## Abstract

We investigate how an adversary can optimally use its query budget for targeted evasion attacks against deep neural networks in a black-box setting. We formalize the problem setting and systematically evaluate what benefits the adversary can gain by using substitute models. We show that there is an exploration-exploitation tradeoff in that query efficiency comes at the cost of effectiveness. We present two new attack strategies for using substitute models and show that they are as effective as previous query-only techniques but require significantly fewer queries, by up to three orders of magnitude. We also show that an agile adversary capable of switching through different attack techniques can achieve pareto-optimal efficiency. We demonstrate our attack against Google Cloud Vision showing that the difficulty of black-box attacks against real-world prediction APIs is significantly easier than previously thought (requiring approximately 500 queries instead of approximately 20,000 as in previous works).

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1906.03397/full.md

## Figures

23 figures with captions in the complete paper: https://tomesphere.com/paper/1906.03397/full.md

## References

45 references — full list in the complete paper: https://tomesphere.com/paper/1906.03397/full.md

---
Source: https://tomesphere.com/paper/1906.03397