ManiGen: A Manifold Aided Black-box Generator of Adversarial Examples

TL;DR

ManiGen is a practical black-box adversarial example generator that effectively fools neural network classifiers by searching along data manifolds, without needing internal model details, matching or surpassing existing white-box methods.

Contribution

This paper introduces ManiGen, a novel black-box adversarial generator that does not require any knowledge of the target model's internals, and demonstrates its effectiveness across multiple datasets.

Findings

ManiGen can generate adversarial examples that fool classifiers as effectively as white-box methods.

ManiGen's adversarial examples are more effective against classifiers with defenses.

ManiGen performs well across different datasets and models.

Abstract

Machine learning models, especially neural network (NN) classifiers, have acceptable performance and accuracy that leads to their wide adoption in different aspects of our daily lives. The underlying assumption is that these models are generated and used in attack free scenarios. However, it has been shown that neural network based classifiers are vulnerable to adversarial examples. Adversarial examples are inputs with special perturbations that are ignored by human eyes while can mislead NN classifiers. Most of the existing methods for generating such perturbations require a certain level of knowledge about the target classifier, which makes them not very practical. For example, some generators require knowledge of pre-softmax logits while others utilize prediction scores. In this paper, we design a practical black-box adversarial example generator, dubbed ManiGen. ManiGen does not require any knowledge of the inner state of the target classifier. It generates adversarial examples by searching along the manifold, which is a concise representation of input data. Through extensive set of experiments on different datasets, we show that (1) adversarial examples generated by ManiGen can mislead standalone classifiers by being as successful as the state-of-the-art white-box generator, Carlini, and (2) adversarial examples generated by ManiGen can more effectively attack classifiers with state-of-the-art defenses.