Ensemble adversarial black-box attacks against deep learning systems

摘要

Deep learning (DL) models, e.g., state-of-the-art convolutional neural networks (CNNs), have been widely applied into security sensitivity tasks, such as face payment, security monitoring, automated driving, etc. Then their vulnerability analysis is an emergent topic, especially for black-box attacks, where adversaries do not know the model internal architectures or training parameters. In this paper, two types of ensemble-based black-box attack strategies, selective cascade ensemble strategy (SCES) and stack parallel ensemble strategy (SPES), are proposed to explore the vulnerability of DL system and potential factors that contribute to the high-efficiency attacks are explored. SCES adopts a boosting structure of ensemble learning and SPES employs a bagging structure. Moreover, two pairwise and non-pairwise diversity measures are adopted to examine the relationship between the diversity in substitutes ensembles and transferability of generated adversarial examples. Experimental results show that proposed ensemble adversarial black-box attack strategies can successfully attack the DL system with some defense mechanism, such as adversarial training and ensemble adversarial training. The experimental results also show the greater the diversity in substitute ensembles enables stronger transferability. (C) 2020 Elsevier Ltd. All rights reserved.