Distributed Black-box Attack against Image Classification Cloud Services
Han Wu, Sareh Rowlands, and Johan Wahlstrom
Source Code
Hi, I'll present Distributed Black-box Attack against Image Classification Cloud Services. Black-box attacks can fool image classification models without access to model details. Our research intends to investigate if black-box attacks have become a real threat against image classification models deployed on cloud servers.
Deep Learning Models are vulnerable to Adversarial Attacks
White-box Attacks: fast and efficient.
Black-box Attacks: slow and rely on queries.
Increasing the attack succes rate.
Reducing the number of queries.
Reducing the total attack time.
It is no more a secret that Deep Learning Models are vulnerable to Adversarial Attacks. We can generate human-unperceivable perturbations to fool image classification models. Existing adversarial attacks consits of white-box attacks and black-box attacks.
How to accelerate Black-Box attacks?
Cloud APIs are deployed behind a load balancer that distributes the traffic across several servers.
Well, how can we accelerate Black-Box attacks?
Local Models & Cloud APIs
Most prior research used local models to test black-box attacks.
We initiate the black-box attacks directly against cloud services.
Most prior research used local models to test black-box attacks because sending queries to cloud services is slow, while querying a local model with GPU acceleration is much faster.
Attacking Cloud APIs is more challenging than attacking local models
Attacking cloud APIs achieve less success rate than attacking local models.
Attacking cloud APIs requires more queries than attacking local models.
Our experimental results demonstrate that attacking Cloud APIs is more challenging than attacking local models. For local search and gradient estimation methods, attacking cloud APIs achieve less success rate than attacking local models. In our experiments, we limit the number of queries for each image to be at most 1,000, which is quite challenging. As a result, the baseline method only achieves a success rate of roughly 5%.
DeepAPI - The Cloud API we attack
We open-source our image classification cloud service for research on black-box attacks.
The cloud API we attack is DeepAPI, an image classification cloud service we open-source for research on black-box attacks.
Here's a quick demo. We can upload images to the cloud server, and receive the classification results.
DeepAPI Deployment
Using Docker
$ docker run -p 8080:8080 wuhanstudio/deepapi
Serving on port 8080...
Using Pip
$ pip install deepapi
$ python -m deepapi
Serving on port 8080...
To make the deployment of DeepAPI easier, we provide a Docker image as well as a python package which can be installed via pip install deepapi, and start the server using a single command.
Horizontal Distribution
Horizontal Distribuion sends out concurrent queries across images at the same iteration, so we receive the query results for different images simultaneously, and then move on to the next iteration.
Horizontal distribution reduces the total attack time by a factor of five.
After applying horizontal distribution, we can see that the total attack time is reduced by a factor of five. The total time of attacking 100 images was reduced from over 20h to 4h.
Vertical Distribution
On the other side, vertical distribution sends out concurrent queries across iterations for the same image. For each image, we generate multiple adversarial perturbations and send out queries concurrently across iterations.
Vertical distribution achieves succeesful attacks much earlier.
After applying vertical distribution, besides reducing the attack time, both local search and gradient estimation methods achieve early successful attacks. The probability of the original predicted class drops faster.
Conclusion
In conclusion, our research demonstrates that it is possible to exploit load balancing to accelerate online black-box attacks against cloud services.
Thanks
Source Code
You can find the source code and the slides on this website. Thank you. (7min)
Distributed Black-box Attack against Image Classification Cloud Services Han Wu, Sareh Rowlands, and Johan Wahlstrom Source Code Hi, I'll present Distributed Black-box Attack against Image Classification Cloud Services. Black-box attacks can fool image classification models without access to model details. Our research intends to investigate if black-box attacks have become a real threat against image classification models deployed on cloud servers.
