Distributed Black-box Attack against Image Classification Cloud Services
Han Wu, Sareh Rowlands, and Johan Wahlstrom
Source Code
Hi, I'll present Distributed Black-box Attack against Image Classification Cloud Services. Black-box attacks can fool image classification models without access to model details. Our research intends to investigate if black-box attacks have become a real threat against image classification models deployed on cloud servers.
Deep Learning Models are vulnerable to Adversarial Attacks
White-box Attacks: fast and efficient.
Black-box Attacks: slow and rely on queries.
Increasing the attack succes rate.
Reducing the number of queries.
Reducing the total attack time.
It is no more a secret that Deep Learning Models are vulnerable to Adversarial Attacks. We can generate human-unperceivable perturbations to fool image classification models. Existing adversarial attacks consits of white-box attacks and black-box attacks.
White-box attacks have full access to model details, and are fast and efficient. They can attack deep learning mdoels in real time. On the other side, black-box attacks do not require access to model structure and weights, but they rely on queries and are slow.
For black-box attacks, prior research has primarily focused on increasing the attack success rate and reducing the number of queries. However, another crucial factor is the time required to perform the attack. Black-box attacks can be a real threat if they are both time efficient and can achieve a high success rate. So we investigate if it is possible to reduce the total attack time.
How to accelerate Black-Box attacks?
Cloud APIs are deployed behind a load balancer that distributes the traffic across several servers.
Well, how can we accelerate Black-Box attacks?
Black-box attacks rely on queries, which is time consuming. Our experimental results demonstrate that sending out 10 queries concurrently takes roughly the same time as sending out 1 query, which means that we can accelerate black-box attacks by sending out queries concurrently. The more queries we send, the less time each query takes in average.
This is because modern cloud APIs are usually deployed behind a load balancer. The load balancer distributes the traffic across several servers, thus we can get query results of multiple concurrent requests simultaneously. (2min)
Before introducing the cloud service we attack, we notice that ...
Local Models & Cloud APIs
Most prior research used local models to test black-box attacks.
We initiate the black-box attacks directly against cloud services.
Most prior research used local models to test black-box attacks because sending queries to cloud services is slow, while querying a local model with GPU acceleration is much faster.
However, testing black-box attacks against local models could introduce several mistakes in the query process that gave their methtods an unfair advantage. For example, prior research usually resizes input images to be the same shape as the model input and then applies the perturbation, which means they assume they have access to the input shape of the model. Some methods outperformed the state-of-the-art partially because these mistakes gave them access to information that should not be assumed to be available in black-box attacks.
As a result, we initiate black-box attacks directly against cloud services to avoid making similar mistakes, and we apply the perturbation directly to the original input image. (3min)
Attacking Cloud APIs is more challenging than attacking local models
Attacking cloud APIs achieve less success rate than attacking local models.
Attacking cloud APIs requires more queries than attacking local models.
Our experimental results demonstrate that attacking Cloud APIs is more challenging than attacking local models. For local search and gradient estimation methods, attacking cloud APIs achieve less success rate than attacking local models. In our experiments, we limit the number of queries for each image to be at most 1,000, which is quite challenging. As a result, the baseline method only achieves a success rate of roughly 5%.
Besides, attacking cloud APIs requires more queries than attacking local models. For the baseline method, we do not see an evident incrase because the attack success rate is relatively low. Most attacks consume all of the query budget.
DeepAPI - The Cloud API we attack
We open-source our image classification cloud service for research on black-box attacks.
The cloud API we attack is DeepAPI, an image classification cloud service we open-source for research on black-box attacks.
Here's a quick demo. We can upload images to the cloud server, and receive the classification results.
Besides uploading images from the website, we can also use the API to do image classification so that we can automate the query process to initiate black-box attacks.
DeepAPI Deployment
Using Docker
$ docker run -p 8080:8080 wuhanstudio/deepapi
Serving on port 8080...
Using Pip
$ pip install deepapi
$ python -m deepapi
Serving on port 8080...
To make the deployment of DeepAPI easier, we provide a Docker image as well as a python package which can be installed via pip install deepapi, and start the server using a single command.
Furthermore, we design two general frameworks, horizontal and vertical distribution, that can be applied to existing black-box attacks to reduce the total attack time. (5 min)
Horizontal Distribution
Horizontal Distribuion sends out concurrent queries across images at the same iteration, so we receive the query results for different images simultaneously, and then move on to the next iteration.
The benefit of horizontal distribution is that we do not need to redesign the black-box attacks, we only need to replace the original model query with concurrent queries.
Horizontal distribution reduces the total attack time by a factor of five.
After applying horizontal distribution, we can see that the total attack time is reduced by a factor of five. The total time of attacking 100 images was reduced from over 20h to 4h.
Vertical Distribution
On the other side, vertical distribution sends out concurrent queries across iterations for the same image. For each image, we generate multiple adversarial perturbations and send out queries concurrently across iterations.
For vertical distribution, we need to redesign the black-box attacks to decouple the queries across iterations.
In the research paper, we use both local search and gradient estimation methods as examples to illustrate how to re-design the algorithm to apply vertical distribution.
Vertical distribution achieves succeesful attacks much earlier.
After applying vertical distribution, besides reducing the attack time, both local search and gradient estimation methods achieve early successful attacks. The probability of the original predicted class drops faster.
Conclusion
In conclusion, our research demonstrates that it is possible to exploit load balancing to accelerate online black-box attacks against cloud services.
And we open source our image classification cloud service to facilitate future research on distributed black-box attacks to test if black-box attacks have become a practical threat against machine learning models deployed on cloud servers.
Thanks
Source Code
You can find the source code and the slides on this website. Thank you. (7min)
Distributed Black-box Attack against Image Classification Cloud Services Han Wu, Sareh Rowlands, and Johan Wahlstrom Source Code Hi, I'll present Distributed Black-box Attack against Image Classification Cloud Services. Black-box attacks can fool image classification models without access to model details. Our research intends to investigate if black-box attacks have become a real threat against image classification models deployed on cloud servers.