Your Attack Is Too DUMB: Formalizing Attacker Scenarios for Adversarial Transferability
Authors:
Marco Alecci,
Mauro Conti,
Francesco Marchiori,
Luca Martinelli,
Luca Pajola
Abstract:
Evasion attacks are a threat to machine learning models, where adversaries attempt to affect classifiers by injecting malicious samples. An alarming side-effect of evasion attacks is their ability to transfer among different models: this property is called transferability. Therefore, an attacker can produce adversarial samples on a custom model (surrogate) to conduct the attack on a victim's organ…
▽ More
Evasion attacks are a threat to machine learning models, where adversaries attempt to affect classifiers by injecting malicious samples. An alarming side-effect of evasion attacks is their ability to transfer among different models: this property is called transferability. Therefore, an attacker can produce adversarial samples on a custom model (surrogate) to conduct the attack on a victim's organization later. Although literature widely discusses how adversaries can transfer their attacks, their experimental settings are limited and far from reality. For instance, many experiments consider both attacker and defender sharing the same dataset, balance level (i.e., how the ground truth is distributed), and model architecture.
In this work, we propose the DUMB attacker model. This framework allows analyzing if evasion attacks fail to transfer when the training conditions of surrogate and victim models differ. DUMB considers the following conditions: Dataset soUrces, Model architecture, and the Balance of the ground truth. We then propose a novel testbed to evaluate many state-of-the-art evasion attacks with DUMB; the testbed consists of three computer vision tasks with two distinct datasets each, four types of balance levels, and three model architectures. Our analysis, which generated 13K tests over 14 distinct attacks, led to numerous novel findings in the scope of transferable attacks with surrogate models. In particular, mismatches between attackers and victims in terms of dataset source, balance levels, and model architecture lead to non-negligible loss of attack performance.
△ Less
Submitted 27 June, 2023;
originally announced June 2023.
Weak-signal extraction enabled by deep-neural-network denoising of diffraction data
Authors:
Jens Oppliger,
M. Michael Denner,
Julia Küspert,
Ruggero Frison,
Qisi Wang,
Alexander Morawietz,
Oleh Ivashko,
Ann-Christin Dippel,
Martin von Zimmermann,
Izabela Biało,
Leonardo Martinelli,
Benoît Fauqué,
Jaewon Choi,
Mirian Garcia-Fernandez,
Ke-** Zhou,
Niels B. Christensen,
Tohru Kurosawa,
Naoki Momono,
Migaku Oda,
Fabian D. Natterer,
Mark H. Fischer,
Titus Neupert,
Johan Chang
Abstract:
Removal or cancellation of noise has wide-spread applications for imaging and acoustics. In every-day-life applications, denoising may even include generative aspects, which are unfaithful to the ground truth. For scientific use, however, denoising must reproduce the ground truth accurately. Here, we show how data can be denoised via a deep convolutional neural network such that weak signals appea…
▽ More
Removal or cancellation of noise has wide-spread applications for imaging and acoustics. In every-day-life applications, denoising may even include generative aspects, which are unfaithful to the ground truth. For scientific use, however, denoising must reproduce the ground truth accurately. Here, we show how data can be denoised via a deep convolutional neural network such that weak signals appear with quantitative accuracy. In particular, we study X-ray diffraction on crystalline materials. We demonstrate that weak signals stemming from charge ordering, insignificant in the noisy data, become visible and accurate in the denoised data. This success is enabled by supervised training of a deep neural network with pairs of measured low- and high-noise data. We demonstrate that using artificial noise does not yield such quantitatively accurate results. Our approach thus illustrates a practical strategy for noise filtering that can be applied to challenging acquisition problems.
△ Less
Submitted 11 December, 2023; v1 submitted 19 September, 2022;
originally announced September 2022.