Besting the Black-Box: Barrier Zones for Adversarial Example Defense

Adversarial machine learning defenses have primarily been focused on mitigating static, white-box attacks. However, it remains an open question whether such defenses are robust under an adaptive black-box adversary. In this paper, we specifically focus on the black-box threat model and make the foll...

Full description

Saved in:
Bibliographic Details
Published in:IEEE access 2022, Vol.10, p.1451-1474
Main Authors: Mahmood, Kaleel, Nguyen, Phuong Ha, Nguyen, Lam M., Nguyen, Thanh, Van Dijk, Marten
Format: Article
Language:English
Subjects:
adversarial defense
adversarial examples
Adversarial machine learning
black-box attack
Datasets
Deep learning
Experimentation
Machine learning
Measurement
Robustness
Security
Training data
Transforms
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by
cites cdi_FETCH-LOGICAL-c358t-336386058015f59a56b0516cc28a32b69ab4290fd260bf5d31c328aaa30d26383
container_end_page 1474
container_issue
container_start_page 1451
container_title IEEE access
container_volume 10
creator Mahmood, Kaleel
Nguyen, Phuong Ha
Nguyen, Lam M.
Nguyen, Thanh
Van Dijk, Marten
description Adversarial machine learning defenses have primarily been focused on mitigating static, white-box attacks. However, it remains an open question whether such defenses are robust under an adaptive black-box adversary. In this paper, we specifically focus on the black-box threat model and make the following contributions: First we develop an enhanced adaptive black-box attack which is experimentally shown to be \geq 30\% more effective than the original adaptive black-box attack proposed by Papernot et al. For our second contribution, we test 10 recent defenses using our new attack and propose our own black-box defense (barrier zones). We show that our defense based on barrier zones offers significant improvements in security over state-of-the-art defenses. This improvement includes greater than 85% robust accuracy against black-box boundary attacks, transfer attacks and our new adaptive black-box attack, for the datasets we study. For completeness, we verify our claims through extensive experimentation with 10 other defenses using three adversarial models (14 different black-box attacks) on two datasets (CIFAR-10 and Fashion-MNIST).
doi_str_mv 10.1109/ACCESS.2021.3138966
format article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2617500283</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>9663375</ieee_id><doaj_id>oai_doaj_org_article_ad2b1e669f8843078d1205333e8fa23c</doaj_id><sourcerecordid>2617500283</sourcerecordid><originalsourceid>FETCH-LOGICAL-c358t-336386058015f59a56b0516cc28a32b69ab4290fd260bf5d31c328aaa30d26383</originalsourceid><addsrcrecordid>eNpNkE9PAjEQxTdGE4nyCbhs4nmx7dDS9QYr_klIPKAXL83s7hQXF4otGv32FpcQ59LJm3lvml-SDDgbcs7y60lRzBaLoWCCD4GDzpU6SXqCqzwDCer0X3-e9ENYsVg6SnLcS26nFHbNZpnu3iidtli9Z1P3fZNO0fuGfPrqNhRS63w6qb_IB_QNtunsG9fbltJbsrQJdJmcWWwD9Q_vRfJyN3suHrL50_1jMZlnFUi9ywAUaMWkZlxamaNUJZNcVZXQCKJUOZYjkTNbC8VKK2vgFcQRIrAogYaL5LHLrR2uzNY3a_Q_xmFj_gTnlwb9rqlaMliLkpNSudV6BGysay6YBADSFgVUMeuqy9p69_EZIZiV-_Sb-H0jFB9LxoSGuAXdVuVdCJ7s8SpnZk_fdPTNnr450I-uQedqiOjo2E9gLOEXxR19Gw</addsrcrecordid><sourcetype>Open Website</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2617500283</pqid></control><display><type>article</type><title>Besting the Black-Box: Barrier Zones for Adversarial Example Defense</title><source>IEEE Open Access Journals</source><creator>Mahmood, Kaleel ; Nguyen, Phuong Ha ; Nguyen, Lam M. ; Nguyen, Thanh ; Van Dijk, Marten</creator><creatorcontrib>Mahmood, Kaleel ; Nguyen, Phuong Ha ; Nguyen, Lam M. ; Nguyen, Thanh ; Van Dijk, Marten</creatorcontrib><description>Adversarial machine learning defenses have primarily been focused on mitigating static, white-box attacks. However, it remains an open question whether such defenses are robust under an adaptive black-box adversary. In this paper, we specifically focus on the black-box threat model and make the following contributions: First we develop an enhanced adaptive black-box attack which is experimentally shown to be &lt;inline-formula&gt; &lt;tex-math notation="LaTeX"&gt;\geq 30\% &lt;/tex-math&gt;&lt;/inline-formula&gt; more effective than the original adaptive black-box attack proposed by Papernot et al. For our second contribution, we test 10 recent defenses using our new attack and propose our own black-box defense (barrier zones). We show that our defense based on barrier zones offers significant improvements in security over state-of-the-art defenses. This improvement includes greater than 85% robust accuracy against black-box boundary attacks, transfer attacks and our new adaptive black-box attack, for the datasets we study. For completeness, we verify our claims through extensive experimentation with 10 other defenses using three adversarial models (14 different black-box attacks) on two datasets (CIFAR-10 and Fashion-MNIST).</description><identifier>ISSN: 2169-3536</identifier><identifier>EISSN: 2169-3536</identifier><identifier>DOI: 10.1109/ACCESS.2021.3138966</identifier><identifier>CODEN: IAECCG</identifier><language>eng</language><publisher>Piscataway: IEEE</publisher><subject>adversarial defense ; adversarial examples ; Adversarial machine learning ; black-box attack ; Datasets ; Deep learning ; Experimentation ; Machine learning ; Measurement ; Robustness ; Security ; Training data ; Transforms</subject><ispartof>IEEE access, 2022, Vol.10, p.1451-1474</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2022</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><cites>FETCH-LOGICAL-c358t-336386058015f59a56b0516cc28a32b69ab4290fd260bf5d31c328aaa30d26383</cites><orcidid>0000-0002-7672-4449 ; 0000-0001-6083-606X ; 0000-0001-9388-8050</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/9663375$$EHTML$$P50$$Gieee$$Hfree_for_read</linktohtml><link.rule.ids>314,780,784,4024,27633,27923,27924,27925,54933</link.rule.ids></links><search><creatorcontrib>Mahmood, Kaleel</creatorcontrib><creatorcontrib>Nguyen, Phuong Ha</creatorcontrib><creatorcontrib>Nguyen, Lam M.</creatorcontrib><creatorcontrib>Nguyen, Thanh</creatorcontrib><creatorcontrib>Van Dijk, Marten</creatorcontrib><title>Besting the Black-Box: Barrier Zones for Adversarial Example Defense</title><title>IEEE access</title><addtitle>Access</addtitle><description>Adversarial machine learning defenses have primarily been focused on mitigating static, white-box attacks. However, it remains an open question whether such defenses are robust under an adaptive black-box adversary. In this paper, we specifically focus on the black-box threat model and make the following contributions: First we develop an enhanced adaptive black-box attack which is experimentally shown to be &lt;inline-formula&gt; &lt;tex-math notation="LaTeX"&gt;\geq 30\% &lt;/tex-math&gt;&lt;/inline-formula&gt; more effective than the original adaptive black-box attack proposed by Papernot et al. For our second contribution, we test 10 recent defenses using our new attack and propose our own black-box defense (barrier zones). We show that our defense based on barrier zones offers significant improvements in security over state-of-the-art defenses. This improvement includes greater than 85% robust accuracy against black-box boundary attacks, transfer attacks and our new adaptive black-box attack, for the datasets we study. For completeness, we verify our claims through extensive experimentation with 10 other defenses using three adversarial models (14 different black-box attacks) on two datasets (CIFAR-10 and Fashion-MNIST).</description><subject>adversarial defense</subject><subject>adversarial examples</subject><subject>Adversarial machine learning</subject><subject>black-box attack</subject><subject>Datasets</subject><subject>Deep learning</subject><subject>Experimentation</subject><subject>Machine learning</subject><subject>Measurement</subject><subject>Robustness</subject><subject>Security</subject><subject>Training data</subject><subject>Transforms</subject><issn>2169-3536</issn><issn>2169-3536</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><sourceid>ESBDL</sourceid><sourceid>DOA</sourceid><recordid>eNpNkE9PAjEQxTdGE4nyCbhs4nmx7dDS9QYr_klIPKAXL83s7hQXF4otGv32FpcQ59LJm3lvml-SDDgbcs7y60lRzBaLoWCCD4GDzpU6SXqCqzwDCer0X3-e9ENYsVg6SnLcS26nFHbNZpnu3iidtli9Z1P3fZNO0fuGfPrqNhRS63w6qb_IB_QNtunsG9fbltJbsrQJdJmcWWwD9Q_vRfJyN3suHrL50_1jMZlnFUi9ywAUaMWkZlxamaNUJZNcVZXQCKJUOZYjkTNbC8VKK2vgFcQRIrAogYaL5LHLrR2uzNY3a_Q_xmFj_gTnlwb9rqlaMliLkpNSudV6BGysay6YBADSFgVUMeuqy9p69_EZIZiV-_Sb-H0jFB9LxoSGuAXdVuVdCJ7s8SpnZk_fdPTNnr450I-uQedqiOjo2E9gLOEXxR19Gw</recordid><startdate>2022</startdate><enddate>2022</enddate><creator>Mahmood, Kaleel</creator><creator>Nguyen, Phuong Ha</creator><creator>Nguyen, Lam M.</creator><creator>Nguyen, Thanh</creator><creator>Van Dijk, Marten</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>ESBDL</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>7SR</scope><scope>8BQ</scope><scope>8FD</scope><scope>JG9</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>DOA</scope><orcidid>https://orcid.org/0000-0002-7672-4449</orcidid><orcidid>https://orcid.org/0000-0001-6083-606X</orcidid><orcidid>https://orcid.org/0000-0001-9388-8050</orcidid></search><sort><creationdate>2022</creationdate><title>Besting the Black-Box: Barrier Zones for Adversarial Example Defense</title><author>Mahmood, Kaleel ; Nguyen, Phuong Ha ; Nguyen, Lam M. ; Nguyen, Thanh ; Van Dijk, Marten</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c358t-336386058015f59a56b0516cc28a32b69ab4290fd260bf5d31c328aaa30d26383</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><topic>adversarial defense</topic><topic>adversarial examples</topic><topic>Adversarial machine learning</topic><topic>black-box attack</topic><topic>Datasets</topic><topic>Deep learning</topic><topic>Experimentation</topic><topic>Machine learning</topic><topic>Measurement</topic><topic>Robustness</topic><topic>Security</topic><topic>Training data</topic><topic>Transforms</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Mahmood, Kaleel</creatorcontrib><creatorcontrib>Nguyen, Phuong Ha</creatorcontrib><creatorcontrib>Nguyen, Lam M.</creatorcontrib><creatorcontrib>Nguyen, Thanh</creatorcontrib><creatorcontrib>Van Dijk, Marten</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE Open Access Journals</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics &amp; Communications Abstracts</collection><collection>Engineered Materials Abstracts</collection><collection>METADEX</collection><collection>Technology Research Database</collection><collection>Materials Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>Open Access: DOAJ - Directory of Open Access Journals</collection><jtitle>IEEE access</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Mahmood, Kaleel</au><au>Nguyen, Phuong Ha</au><au>Nguyen, Lam M.</au><au>Nguyen, Thanh</au><au>Van Dijk, Marten</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Besting the Black-Box: Barrier Zones for Adversarial Example Defense</atitle><jtitle>IEEE access</jtitle><stitle>Access</stitle><date>2022</date><risdate>2022</risdate><volume>10</volume><spage>1451</spage><epage>1474</epage><pages>1451-1474</pages><issn>2169-3536</issn><eissn>2169-3536</eissn><coden>IAECCG</coden><abstract>Adversarial machine learning defenses have primarily been focused on mitigating static, white-box attacks. However, it remains an open question whether such defenses are robust under an adaptive black-box adversary. In this paper, we specifically focus on the black-box threat model and make the following contributions: First we develop an enhanced adaptive black-box attack which is experimentally shown to be &lt;inline-formula&gt; &lt;tex-math notation="LaTeX"&gt;\geq 30\% &lt;/tex-math&gt;&lt;/inline-formula&gt; more effective than the original adaptive black-box attack proposed by Papernot et al. For our second contribution, we test 10 recent defenses using our new attack and propose our own black-box defense (barrier zones). We show that our defense based on barrier zones offers significant improvements in security over state-of-the-art defenses. This improvement includes greater than 85% robust accuracy against black-box boundary attacks, transfer attacks and our new adaptive black-box attack, for the datasets we study. For completeness, we verify our claims through extensive experimentation with 10 other defenses using three adversarial models (14 different black-box attacks) on two datasets (CIFAR-10 and Fashion-MNIST).</abstract><cop>Piscataway</cop><pub>IEEE</pub><doi>10.1109/ACCESS.2021.3138966</doi><tpages>24</tpages><orcidid>https://orcid.org/0000-0002-7672-4449</orcidid><orcidid>https://orcid.org/0000-0001-6083-606X</orcidid><orcidid>https://orcid.org/0000-0001-9388-8050</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 2169-3536
ispartof IEEE access, 2022, Vol.10, p.1451-1474
issn 2169-3536
2169-3536
language eng
recordid cdi_proquest_journals_2617500283
source IEEE Open Access Journals
subjects adversarial defense
adversarial examples
Adversarial machine learning
black-box attack
Datasets
Deep learning
Experimentation
Machine learning
Measurement
Robustness
Security
Training data
Transforms
title Besting the Black-Box: Barrier Zones for Adversarial Example Defense
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-04T17%3A51%3A59IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Besting%20the%20Black-Box:%20Barrier%20Zones%20for%20Adversarial%20Example%20Defense&rft.jtitle=IEEE%20access&rft.au=Mahmood,%20Kaleel&rft.date=2022&rft.volume=10&rft.spage=1451&rft.epage=1474&rft.pages=1451-1474&rft.issn=2169-3536&rft.eissn=2169-3536&rft.coden=IAECCG&rft_id=info:doi/10.1109/ACCESS.2021.3138966&rft_dat=%3Cproquest_cross%3E2617500283%3C/proquest_cross%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c358t-336386058015f59a56b0516cc28a32b69ab4290fd260bf5d31c328aaa30d26383%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2617500283&rft_id=info:pmid/&rft_ieee_id=9663375&rfr_iscdi=true