Adversarial Machine Learning in Image Classification: A Survey Towards the Defender’s Perspective 7
Fig. 4. (a): Malicious and usually imperceptible perturbations present in a input image can induce trained
models to misclassification. Adapted from Klarreich [
93
]. (b): The objective of an adversarial aack is to
generate a perturbation
δx
and insert it into a legitimate image
x
in order to make the resulting adversarial
image x
′
= x + δx cross the decision boundary. Adapted from Bakhti et al. [8].
3.2 Taxonomy of Aacks and Aackers
This section is also based on the concepts and denitions of the works of Akhtar and Mian, Barreno
et al
.
, Brendel et al
.
, Kumar and Mehta, Xiao and Yuan et al
.
[
2
,
10
,
15
,
97
,
190
,
198
] to extend
5
existing taxonomies which organize attacks and attackers. In the context of security, adversarial
attacks and attackers are categorized under threat models. A threat model denes the conditions
under which a defense is designed to provide security garantees against certain types of attacks
and attackers [
19
]. Basically, a threat model delimiters (i) the knowledge an attacker has about the
targeted classier (such as its parameters and architecture), (ii) his goal with the adversarial attack
and (iii) how he will perform the adversarial attack. A threat model can be then classied into six
dierent axes: (i) attacker’s inuency, (ii) attacker’s knowledge, (iii) security violation, (iv) attack
specicity, (v) attack computation and (vi) attack approach.
3.2.1 Aacker’s Influence. This axis denes how the attacker will control the learning process
of deep learning models. According to Xiao [
190
], the attacker can perform two types of attack,
taking into account his inuence on the classication model: (i) causative or poisoning attacks and
(ii) evasive or exploratory attacks.
• Causative or poisoning attacks
: in causative attacks, the attacker has inuence on the deep
learning model during its training stage. In this type of attack, the training samples are corrupted
or the training set is polluted with adversarial examples in order to produce a classication model
incompatible with the original data distribution;
• Evasive or exploratory attacks
: in constrast of causative attacks, in evasive attacks the attacker
has inuence on the deep learning models during the inference or testing stage. Evasive attacks
are the most common type of attack, where the attacker craft adversarial examples that lead
deep learning models to misclassication, usually with a high condence on the prediction.
Evasive attacks can also have an exploratory nature, where the attacker’s objective is to gather
information about the targeted model, such as its parameters, architectures, cost functions, etc.
The most common exploratory attack is the input/output attack, where the attacker provides
the targeted model with adversarial images crafted by him. Afterwards, the attacker observes
the outputs given by the model and tries to reproduce a substitute or surrogate model, so that it
5
Again here, the novel topics proposed by this paper are highlighted by undelined font.
, Vol. 1, No. 1, Article . Publication date: September 2020.
剩余34页未读,继续阅读
syp_net
- 粉丝: 158
- 资源: 1187
我的内容管理
展开
最新资源
- Vue实现iOS原生Picker组件:详细解析与实现思路
- Arduino蓝牙小车:参数调试与功能控制
- 百度Java面试精华:200页精选资源涵盖核心知识点
- Swift使用CoreData填坑指南:CoreData在Swift 3.0的变化
- 微距离无线充电器创新设计及其实验探索
- MTK Android平台开发全攻略:44步详解流程
- RecyclerView全面解析:替代ListView的新选择
- Android开发:自动适配中英文键盘解决方案
- Android调用WebService接口教程
- Android开发:BitmapUtil图片处理全解析与实例
- Android多线程断点续传实现详解
- PCA算法在人脸识别会议签到系统中的应用
- EventBus 3.0:Android事件总线详解与实战应用
- Android FileUtil:全面解析文件操作实用技巧与实例
- RecyclerView添加头部和尾部实战教程
- Android实现微博滑动固定顶部栏实战与优化
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
