Current neural network-based classifiers are susceptible to adversarial examples even in the black-box setting, where the attacker only has query access to the model. In practice, the threat model for real-world systems is often more restrictive than the typical black-box model where the adversary can observe the full output of the network on arbitrarily many chosen inputs. We define three realistic threat models that more accurately characterize many real-world classifiers: the query-limited setting, the partialinformation setting, and the label-only setting. We develop new attacks that fool classifiers under these more restrictive threat models, where previous methods would be impractical or ineffective. We demonstrate that our methods are effective against an ImageNet classifier under our proposed threat models. We also demonstrate a targeted black-box attack against a commercial classifier, overcoming the challenges of limited query access, partial information, and other practical issues to break the Google Cloud Vision API.

The goal of a decision-based adversarial attack on a trained model is to generate adversarial examples based solely on observing output labels returned by the targeted model. We develop HopSkipJumpAttack, a family of algorithms based on a novel estimate of the gradient direction using binary information at the decision boundary. The proposed family includes both untargeted and targeted attacks optimized for 2 and ∞ similarity metrics respectively. Theoretical analysis is provided for the proposed algorithms and the gradient direction estimate. Experiments show HopSkipJumpAttack requires significantly fewer model queries than several state-of-the-art decision-based adversarial attacks. It also achieves competitive performance in attacking several widely-used defense mechanisms.

Machine learning (ML) models, e.g., deep neural networks (DNNs), are vulnerable to adversarial examples: malicious inputs modified to yield erroneous model outputs, while appearing unmodified to human observers. Potential attacks include having malicious content like malware identified as legitimate or controlling vehicle behavior. Yet, all existing adversarial example attacks require knowledge of either the model internals or its training data. We introduce the first practical demonstration of an attacker controlling a remotely hosted DNN with no such knowledge. Indeed, the only capability of our black-box adversary is to observe labels given by the DNN to chosen inputs. Our attack strategy consists in training a local model to substitute for the target DNN, using inputs synthetically generated by an adversary and labeled by the target DNN. We use the local substitute to craft adversarial examples, and find that they are misclassified by the targeted DNN. To perform a real-world and properly-blinded evaluation, we attack a DNN hosted by MetaMind, an online deep learning API. We find that their DNN misclassifies 84.24% of the adversarial examples crafted with our substitute. We demonstrate the general applicability of our strategy to many ML techniques by conducting the same attack against models hosted by Amazon and Google, using logistic regression substitutes. They yield adversarial examples misclassified by Amazon and Google at rates of 96.19% and 88.94%. We also find that this black-box attack strategy is capable of evading defense strategies previously found to make adversarial example crafting harder.

为了适用于现实情况，提出了边界攻击（BAS），并仅使用决策信息确保了100％的攻击成功率。但是，现有的BA方法通过利用简单的随机抽样（SRS）来估算梯度来制作对抗性示例，从而消耗大量模型查询。为了克服SRS的弊端，本文提出了基于拉丁超立方体采样的边界攻击（LHS-BA）以节省查询预算。与SR相比，LHS在相同数量的随机样品中具有更好的均匀性。因此，这些随机样品的平均值比SRS估计的平均梯度更接近真实梯度。在包括MNIST，CIFAR和IMAGENET-1K在内的基准数据集上进行了各种实验。实验结果表明，就查询效率而言，拟议的LHS-BA优于最先进的BA方法。源代码可在https://github.com/gzhu-dvl/lhs-ba上公开获得。

许多最先进的ML模型在各种任务中具有优于图像分类的人类。具有如此出色的性能，ML模型今天被广泛使用。然而，存在对抗性攻击和数据中毒攻击的真正符合ML模型的稳健性。例如，Engstrom等人。证明了最先进的图像分类器可以容易地被任意图像上的小旋转欺骗。由于ML系统越来越纳入安全性和安全敏感的应用，对抗攻击和数据中毒攻击构成了相当大的威胁。本章侧重于ML安全的两个广泛和重要的领域：对抗攻击和数据中毒攻击。

虽然深度神经网络在各种任务中表现出前所未有的性能，但对对抗性示例的脆弱性阻碍了他们在安全关键系统中的部署。许多研究表明，即使在黑盒设置中也可能攻击，其中攻击者无法访问目标模型的内部信息。大多数黑匣子攻击基于查询，每个都可以获得目标模型的输入输出，并且许多研究侧重于减少所需查询的数量。在本文中，我们注意了目标模型的输出完全对应于查询输入的隐含假设。如果将某些随机性引入模型中，它可以打破假设，因此，基于查询的攻击可能在梯度估计和本地搜索中具有巨大的困难，这是其攻击过程的核心。从这种动机来看，我们甚至观察到一个小的添加剂输入噪声可以中和大多数基于查询的攻击和名称这个简单但有效的方法小噪声防御（SND）。我们分析了SND如何防御基于查询的黑匣子攻击，并展示其与CIFAR-10和ImageNet数据集的八种最先进的攻击有效性。即使具有强大的防御能力，SND几乎保持了原始的分类准确性和计算速度。通过在推断下仅添加一行代码，SND很容易适用于预先训练的模型。

对抗性示例是故意生成用于欺骗深层神经网络的输入。最近的研究提出了不受规范限制的不受限制的对抗攻击。但是，以前的不受限制攻击方法仍然存在限制在黑框设置中欺骗现实世界应用程序的局限性。在本文中，我们提出了一种新的方法，用于使用GAN生成不受限制的对抗示例，其中攻击者只能访问分类模型的前1个最终决定。我们的潜在方法有效地利用了潜在空间中基于决策的攻击的优势，并成功地操纵了潜在的向量来欺骗分类模型。通过广泛的实验，我们证明我们提出的方法有效地评估了在黑框设置中查询有限的分类模型的鲁棒性。首先，我们证明我们的目标攻击方法是有效的，可以为包含307个身份的面部身份识别模型产生不受限制的对抗示例。然后，我们证明所提出的方法还可以成功攻击现实世界的名人识别服务。

Standard methods for generating adversarial examples for neural networks do not consistently fool neural network classifiers in the physical world due to a combination of viewpoint shifts, camera noise, and other natural transformations, limiting their relevance to real-world systems. We demonstrate the existence of robust 3D adversarial objects, and we present the first algorithm for synthesizing examples that are adversarial over a chosen distribution of transformations. We synthesize two-dimensional adversarial images that are robust to noise, distortion, and affine transformation. We apply our algorithm to complex three-dimensional objects, using 3D-printing to manufacture the first physical adversarial objects. Our results demonstrate the existence of 3D adversarial objects in the physical world.

Deep neural networks (DNNs) are one of the most prominent technologies of our time, as they achieve state-of-the-art performance in many machine learning tasks, including but not limited to image classification, text mining, and speech processing. However, recent research on DNNs has indicated ever-increasing concern on the robustness to adversarial examples, especially for security-critical tasks such as traffic sign identification for autonomous driving. Studies have unveiled the vulnerability of a well-trained DNN by demonstrating the ability of generating barely noticeable (to both human and machines) adversarial images that lead to misclassification. Furthermore, researchers have shown that these adversarial images are highly transferable by simply training and attacking a substitute model built upon the target model, known as a black-box attack to DNNs.Similar to the setting of training substitute models, in this paper we propose an effective black-box attack that also only has access to the input (images) and the output (confidence scores) of a targeted DNN. However, different from leveraging attack transferability from substitute models, we propose zeroth order optimization (ZOO) based attacks to directly estimate the gradients of the targeted DNN for generating adversarial examples. We use zeroth order stochastic coordinate descent along with dimension reduction, hierarchical attack and importance sampling techniques to * Pin-Yu Chen and Huan Zhang contribute equally to this work.

尽管机器学习系统的效率和可扩展性，但最近的研究表明，许多分类方法，尤其是深神经网络（DNN），易受对抗的例子;即，仔细制作欺骗训练有素的分类模型的例子，同时无法区分从自然数据到人类。这使得在安全关键区域中应用DNN或相关方法可能不安全。由于这个问题是由Biggio等人确定的。 （2013）和Szegedy等人。（2014年），在这一领域已经完成了很多工作，包括开发攻击方法，以产生对抗的例子和防御技术的构建防范这些例子。本文旨在向统计界介绍这一主题及其最新发展，主要关注对抗性示例的产生和保护。在数值实验中使用的计算代码（在Python和R）公开可用于读者探讨调查的方法。本文希望提交人们将鼓励更多统计学人员在这种重要的令人兴奋的领域的产生和捍卫对抗的例子。

Neural networks are known to be vulnerable to adversarial examples: inputs that are close to natural inputs but classified incorrectly. In order to better understand the space of adversarial examples, we survey ten recent proposals that are designed for detection and compare their efficacy. We show that all can be defeated by constructing new loss functions. We conclude that adversarial examples are significantly harder to detect than previously appreciated, and the properties believed to be intrinsic to adversarial examples are in fact not. Finally, we propose several simple guidelines for evaluating future proposed defenses.

随着现实世界图像的大小不同，机器学习模型是包括上游图像缩放算法的较大系统的一部分。在本文中，我们研究了基于决策的黑框设置中图像缩放过程的漏洞与机器学习模型之间的相互作用。我们提出了一种新颖的采样策略，以端到端的方式使黑框攻击利用漏洞在缩放算法，缩放防御和最终的机器学习模型中。基于这种缩放感知的攻击，我们揭示了大多数现有的缩放防御能力在下游模型的威胁下无效。此外，我们从经验上观察到，标准的黑盒攻击可以通过利用脆弱的缩放程序来显着提高其性能。我们进一步在具有基于决策的黑盒攻击的商业图像分析API上证明了这个问题。

This paper investigates recently proposed approaches for defending against adversarial examples and evaluating adversarial robustness. We motivate adversarial risk as an objective for achieving models robust to worst-case inputs. We then frame commonly used attacks and evaluation metrics as defining a tractable surrogate objective to the true adversarial risk. This suggests that models may optimize this surrogate rather than the true adversarial risk. We formalize this notion as obscurity to an adversary, and develop tools and heuristics for identifying obscured models and designing transparent models. We demonstrate that this is a significant problem in practice by repurposing gradient-free optimization techniques into adversarial attacks, which we use to decrease the accuracy of several recently proposed defenses to near zero. Our hope is that our formulations and results will help researchers to develop more powerful defenses.

深度神经网络（DNNS）在各种方案中对对抗数据敏感，包括黑框方案，在该方案中，攻击者只允许查询训练有素的模型并接收输出。现有的黑框方法用于创建对抗性实例的方法是昂贵的，通常使用梯度估计或培训替换网络。本文介绍了\ textit {Attackar}，这是一种基于分数的进化，黑框攻击。 Attackar是基于一个新的目标函数，可用于无梯度优化问题。攻击仅需要访问分类器的输出徽标，因此不受梯度掩蔽的影响。不需要其他信息，使我们的方法更适合现实生活中的情况。我们使用三个基准数据集（MNIST，CIFAR10和Imagenet）使用三种不同的最先进模型（Inception-V3，Resnet-50和VGG-16-BN）测试其性能。此外，我们评估了Attackar在非分辨率转换防御和最先进的强大模型上的性能。我们的结果表明，在准确性得分和查询效率方面，攻击性的表现出色。

We identify obfuscated gradients, a kind of gradient masking, as a phenomenon that leads to a false sense of security in defenses against adversarial examples. While defenses that cause obfuscated gradients appear to defeat iterative optimizationbased attacks, we find defenses relying on this effect can be circumvented. We describe characteristic behaviors of defenses exhibiting the effect, and for each of the three types of obfuscated gradients we discover, we develop attack techniques to overcome it. In a case study, examining noncertified white-box-secure defenses at ICLR 2018, we find obfuscated gradients are a common occurrence, with 7 of 9 defenses relying on obfuscated gradients. Our new attacks successfully circumvent 6 completely, and 1 partially, in the original threat model each paper considers.

最近对机器学习（ML）模型的攻击，例如逃避攻击，具有对抗性示例，并通过提取攻击窃取了一些模型，构成了几种安全性和隐私威胁。先前的工作建议使用对抗性训练从对抗性示例中保护模型，以逃避模型的分类并恶化其性能。但是，这种保护技术会影响模型的决策边界及其预测概率，因此可能会增加模型隐私风险。实际上，仅使用对模型预测输出的查询访问的恶意用户可以提取它并获得高智能和高保真替代模型。为了更大的提取，这些攻击利用了受害者模型的预测概率。实际上，所有先前关于提取攻击的工作都没有考虑到出于安全目的的培训过程中的变化。在本文中，我们提出了一个框架，以评估具有视觉数据集对对抗训练的模型的提取攻击。据我们所知，我们的工作是第一个进行此类评估的工作。通过一项广泛的实证研究，我们证明了受对抗训练的模型比在自然训练情况下获得的模型更容易受到提取攻击的影响。他们可以达到高达$ \ times1.2 $更高的准确性和同意，而疑问低于$ \ times0.75 $。我们还发现，与从自然训练的（即标准）模型中提取的DNN相比，从鲁棒模型中提取的对抗性鲁棒性能力可通过提取攻击（即从鲁棒模型提取的深神经网络（DNN）提取的深神网络（DNN））传递。

Most existing machine learning classifiers are highly vulnerable to adversarial examples. An adversarial example is a sample of input data which has been modified very slightly in a way that is intended to cause a machine learning classifier to misclassify it. In many cases, these modifications can be so subtle that a human observer does not even notice the modification at all, yet the classifier still makes a mistake. Adversarial examples pose security concerns because they could be used to perform an attack on machine learning systems, even if the adversary has no access to the underlying model. Up to now, all previous work has assumed a threat model in which the adversary can feed data directly into the machine learning classifier. This is not always the case for systems operating in the physical world, for example those which are using signals from cameras and other sensors as input. This paper shows that even in such physical world scenarios, machine learning systems are vulnerable to adversarial examples. We demonstrate this by feeding adversarial images obtained from a cell-phone camera to an ImageNet Inception classifier and measuring the classification accuracy of the system. We find that a large fraction of adversarial examples are classified incorrectly even when perceived through the camera.

Adversarial examples are perturbed inputs designed to fool machine learning models. Adversarial training injects such examples into training data to increase robustness. To scale this technique to large datasets, perturbations are crafted using fast single-step methods that maximize a linear approximation of the model's loss. We show that this form of adversarial training converges to a degenerate global minimum, wherein small curvature artifacts near the data points obfuscate a linear approximation of the loss. The model thus learns to generate weak perturbations, rather than defend against strong ones. As a result, we find that adversarial training remains vulnerable to black-box attacks, where we transfer perturbations computed on undefended models, as well as to a powerful novel single-step attack that escapes the non-smooth vicinity of the input data via a small random step. We further introduce Ensemble Adversarial Training, a technique that augments training data with perturbations transferred from other models. On ImageNet, Ensemble Adversarial Training yields models with stronger robustness to blackbox attacks. In particular, our most robust model won the first round of the NIPS 2017 competition on Defenses against Adversarial Attacks (Kurakin et al., 2017c). However, subsequent work found that more elaborate black-box attacks could significantly enhance transferability and reduce the accuracy of our models.

Adaptive attacks have (rightfully) become the de facto standard for evaluating defenses to adversarial examples. We find, however, that typical adaptive evaluations are incomplete. We demonstrate that thirteen defenses recently published at ICLR, ICML and NeurIPS-and which illustrate a diverse set of defense strategies-can be circumvented despite attempting to perform evaluations using adaptive attacks. While prior evaluation papers focused mainly on the end result-showing that a defense was ineffective-this paper focuses on laying out the methodology and the approach necessary to perform an adaptive attack. Some of our attack strategies are generalizable, but no single strategy would have been sufficient for all defenses. This underlines our key message that adaptive attacks cannot be automated and always require careful and appropriate tuning to a given defense. We hope that these analyses will serve as guidance on how to properly perform adaptive attacks against defenses to adversarial examples, and thus will allow the community to make further progress in building more robust models.

深度学习的进步使得广泛的有希望的应用程序。然而，这些系统容易受到对抗机器学习（AML）攻击的影响;对他们的意见的离前事实制作的扰动可能导致他们错误分类。若干最先进的对抗性攻击已经证明他们可以可靠地欺骗分类器，使这些攻击成为一个重大威胁。对抗性攻击生成算法主要侧重于创建成功的例子，同时控制噪声幅度和分布，使检测更加困难。这些攻击的潜在假设是脱机产生的对抗噪声，使其执行时间是次要考虑因素。然而，最近，攻击者机会自由地产生对抗性示例的立即对抗攻击已经可能。本文介绍了一个新问题：我们如何在实时约束下产生对抗性噪音，以支持这种实时对抗攻击？了解这一问题提高了我们对这些攻击对实时系统构成的威胁的理解，并为未来防御提供安全评估基准。因此，我们首先进行对抗生成算法的运行时间分析。普遍攻击脱机产生一般攻击，没有在线开销，并且可以应用于任何输入;然而，由于其一般性，他们的成功率是有限的。相比之下，在特定输入上工作的在线算法是计算昂贵的，使它们不适合在时间约束下的操作。因此，我们提出房间，一种新型实时在线脱机攻击施工模型，其中离线组件用于预热在线算法，使得可以在时间限制下产生高度成功的攻击。