Bad Citrus: Reducing Adversarial Costs with Model Distances
Giorgio Severi, Will Pearce, Alina Oprea
TL;DR
This paper demonstrates that by selecting surrogate models close in weight space to a target model, adversaries can significantly reduce the number of queries needed for successful evasion attacks.
Contribution
It introduces a method to lower adversarial attack costs by leveraging model distances in weight space, enhancing attack efficiency.
Findings
A strong negative correlation exists between model distance and attack success rate.
Using the closest surrogate model improves transferability and reduces query costs.
The proposed approach effectively decreases the resources needed for adversarial attacks.
Abstract
Recent work by Jia et al., showed the possibility of effectively computing pairwise model distances in weight space, using a model explanation technique known as LIME. This method requires query-only access to the two models under examination. We argue this insight can be leveraged by an adversary to reduce the net cost (number of queries) of launching an evasion campaign against a deployed model. We show that there is a strong negative correlation between the success rate of adversarial transfer and the distance between the victim model and the surrogate used to generate the evasive samples. Thus, we propose and evaluate a method to reduce adversarial costs by finding the closest surrogate model for adversarial transfer.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Anomaly Detection Techniques and Applications · Explainable Artificial Intelligence (XAI)