Visible to the public Substitute Model Generation for Black-Box Adversarial Attack Based on Knowledge Distillation

TitleSubstitute Model Generation for Black-Box Adversarial Attack Based on Knowledge Distillation
Publication TypeConference Paper
Year of Publication2020
AuthorsCui, W., Li, X., Huang, J., Wang, W., Wang, S., Chen, J.
Conference Name2020 IEEE International Conference on Image Processing (ICIP)
Keywordsadversarial attack perturbation, adversarial samples, Approximation algorithms, attacking success rate, black box encryption, black-box adversarial attack, black-box adversarial samples, black-box CNN models, black-box models, classification mechanism, compact student model, composability, Computational modeling, Computer vision, computer vision tasks, convolutional neural nets, convolutional neural networks, deep convolutional neural network, DenseNet121, image classification, knowledge distillation, learning (artificial intelligence), Metrics, multiple CNN teacher models, Perturbation methods, Predictive models, pubcrawl, Resiliency, ResNet18, substitute model, substitute model generation, Task Analysis, Training, white-box attacking methods
AbstractAlthough deep convolutional neural network (CNN) performs well in many computer vision tasks, its classification mechanism is very vulnerable when it is exposed to the perturbation of adversarial attacks. In this paper, we proposed a new algorithm to generate the substitute model of black-box CNN models by using knowledge distillation. The proposed algorithm distills multiple CNN teacher models to a compact student model as the substitution of other black-box CNN models to be attacked. The black-box adversarial samples can be consequently generated on this substitute model by using various white-box attacking methods. According to our experiments on ResNet18 and DenseNet121, our algorithm boosts the attacking success rate (ASR) by 20% by training the substitute model based on knowledge distillation.
Citation Keycui_substitute_2020