Effectively Improving Data Diversity of Substitute Training for Data-Free Black-Box Attack

IF 7 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

IEEE Transactions on Dependable and Secure Computing Pub Date : 2024-07-01 DOI:10.1109/TDSC.2023.3347753

Yang Wei, Zhuo Ma, Zhuo Ma, Zhan Qin, Yang Liu, Bin Xiao, Xiuli Bi, Jianfeng Ma

{"title":"Effectively Improving Data Diversity of Substitute Training for Data-Free Black-Box Attack","authors":"Yang Wei, Zhuo Ma, Zhuo Ma, Zhan Qin, Yang Liu, Bin Xiao, Xiuli Bi, Jianfeng Ma","doi":"10.1109/TDSC.2023.3347753","DOIUrl":null,"url":null,"abstract":"Recent substitute training methods have utilized the concept of Generative Adversarial Networks (GANs) to implement data-free black-box attacks. Specifically, in designing the generators, the substitute training methods use a similar structure to the generators in GANs. However, this design approach ignores the potential situation that the generators in GANs operate under real data supervision, while the generators in substitute training methods lack such supervision. This difference in data-supervised conditions constrain the diversity of data generated by the substitute training methods, resulting in inadequate data to support effective training of the substitute model. This impacts the substitute model's ability to attack the target model further. Consequently, to solve the above issues, we propose three strategies to improve the attack success rates. For the generator, we first propose a dense projection space that projects the input noise into various latent feature spaces to diversify feature information. Then, we introduce a novel disguised natural color mode. This mode improves information exchange between the generator's output layer and previous layers, allowing for more diverse generated data. Besides, we present a regularization method for the substitute model, called noise-based balanced learning, to prevent the potential risk of overfitting due to the lack of diversity of the generated data. In the experimental analysis, extensive experiments are conducted to validate the effectiveness of these proposed strategies.","PeriodicalId":13047,"journal":{"name":"IEEE Transactions on Dependable and Secure Computing","volume":null,"pages":null},"PeriodicalIF":7.0000,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Dependable and Secure Computing","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1109/TDSC.2023.3347753","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Recent substitute training methods have utilized the concept of Generative Adversarial Networks (GANs) to implement data-free black-box attacks. Specifically, in designing the generators, the substitute training methods use a similar structure to the generators in GANs. However, this design approach ignores the potential situation that the generators in GANs operate under real data supervision, while the generators in substitute training methods lack such supervision. This difference in data-supervised conditions constrain the diversity of data generated by the substitute training methods, resulting in inadequate data to support effective training of the substitute model. This impacts the substitute model's ability to attack the target model further. Consequently, to solve the above issues, we propose three strategies to improve the attack success rates. For the generator, we first propose a dense projection space that projects the input noise into various latent feature spaces to diversify feature information. Then, we introduce a novel disguised natural color mode. This mode improves information exchange between the generator's output layer and previous layers, allowing for more diverse generated data. Besides, we present a regularization method for the substitute model, called noise-based balanced learning, to prevent the potential risk of overfitting due to the lack of diversity of the generated data. In the experimental analysis, extensive experiments are conducted to validate the effectiveness of these proposed strategies.

查看原文本刊更多论文

有效提高无数据黑盒攻击替代训练的数据多样性

最近的替代训练方法利用生成对抗网络（GAN）的概念来实现无数据黑盒攻击。具体来说，在设计生成器时，替代训练方法使用了与 GANs 中生成器类似的结构。然而，这种设计方法忽略了一个潜在的情况，即 GANs 中的生成器是在真实数据监督下运行的，而替代训练方法中的生成器则缺乏这种监督。这种数据监督条件的差异限制了替代训练方法生成数据的多样性，导致数据不足，无法支持替代模型的有效训练。这影响了替代模型进一步攻击目标模型的能力。因此，为了解决上述问题，我们提出了三种提高攻击成功率的策略。在生成器方面，我们首先提出了一个密集投影空间，将输入噪声投影到各种潜在特征空间中，使特征信息多样化。然后，我们引入了一种新颖的伪装自然色彩模式。这种模式改善了生成器输出层与前几层之间的信息交换，使生成的数据更加多样化。此外，我们还为替代模型提出了一种正则化方法，即基于噪声的平衡学习，以防止由于生成数据缺乏多样性而可能导致的过拟合风险。在实验分析中，我们进行了大量实验来验证这些建议策略的有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Dependable and Secure Computing 工程技术-计算机：软件工程

CiteScore

11.20

自引率

5.50%

发文量

354

审稿时长

9 months

期刊介绍： The "IEEE Transactions on Dependable and Secure Computing (TDSC)" is a prestigious journal that publishes high-quality, peer-reviewed research in the field of computer science, specifically targeting the development of dependable and secure computing systems and networks. This journal is dedicated to exploring the fundamental principles, methodologies, and mechanisms that enable the design, modeling, and evaluation of systems that meet the required levels of reliability, security, and performance. The scope of TDSC includes research on measurement, modeling, and simulation techniques that contribute to the understanding and improvement of system performance under various constraints. It also covers the foundations necessary for the joint evaluation, verification, and design of systems that balance performance, security, and dependability. By publishing archival research results, TDSC aims to provide a valuable resource for researchers, engineers, and practitioners working in the areas of cybersecurity, fault tolerance, and system reliability. The journal's focus on cutting-edge research ensures that it remains at the forefront of advancements in the field, promoting the development of technologies that are critical for the functioning of modern, complex systems.