How stealthy is stealthy? Studying the Efficacy of Black-Box Adversarial Attacks in the Real World

TL;DR

This paper evaluates the real-world effectiveness of black-box adversarial attacks on deep learning systems, introducing ECLIPSE, a new method that balances robustness, stealthiness, and detectability.

Contribution

It proposes ECLIPSE, a novel black-box attack method that improves the trade-off between robustness, stealthiness, and detectability in adversarial attacks.

Findings

ECLIPSE outperforms existing methods in balancing attack properties.

The study introduces three properties to evaluate attack feasibility.

Experimental results demonstrate ECLIPSE's advantages across multiple criteria.

Abstract

Deep learning systems, critical in domains like autonomous vehicles, are vulnerable to adversarial examples (crafted inputs designed to mislead classifiers). This study investigates black-box adversarial attacks in computer vision. This is a realistic scenario, where attackers have query-only access to the target model. Three properties are introduced to evaluate attack feasibility: robustness to compression, stealthiness to automatic detection, and stealthiness to human inspection. State-of-the-Art methods tend to prioritize one criterion at the expense of others. We propose ECLIPSE, a novel attack method employing Gaussian blurring on sampled gradients and a local surrogate model. Comprehensive experiments on a public dataset highlight ECLIPSE's advantages, demonstrating its contribution to the trade-off between the three properties.