Adversarial Classification

Distributed Black-box Attack against Image Classification Cloud Services

Han Wu, Sareh Rowlands, and Johan Wahlstrom

Source Code

Deep Learning Models are vulnerable to Adversarial Attacks

White-box Attacks: fast and efficient.

Black-box Attacks: slow and rely on queries.

Increasing the attack succes rate.
Reducing the number of queries.
Reducing the total attack time.

It is no more a secret that Deep Learning Models are vulnerable to Adversarial Attacks. We can generate human-unperceivable perturbations to fool image classification models. Existing adversarial attacks consits of white-box attacks and black-box attacks.

White-box attacks have full access to model details, and are fast and efficient. They can attack deep learning mdoels in real time. On the other side, black-box attacks do not require access to model structure and weights, but they rely on queries and are slow.

For black-box attacks, prior research has primarily focused on increasing the attack success rate and reducing the number of queries. However, another crucial factor is the time required to perform the attack. Black-box attacks can be a real threat if they are both time efficient and can achieve a high success rate. So we investigate if it is possible to reduce the total attack time.

How to accelerate Black-Box attacks?

Cloud APIs are deployed behind a load balancer that distributes the traffic across several servers.

Well, how can we accelerate Black-Box attacks?

Black-box attacks rely on queries, which is time consuming. Our experimental results demonstrate that sending out 10 queries concurrently takes roughly the same time as sending out 1 query, which means that we can accelerate black-box attacks by sending out queries concurrently. The more queries we send, the less time each query takes in average.

This is because modern cloud APIs are usually deployed behind a load balancer. The load balancer distributes the traffic across several servers, thus we can get query results of multiple concurrent requests simultaneously. (2min)

Before introducing the cloud service we attack, we notice that ...

Local Models & Cloud APIs

Most prior research used local models to test black-box attacks.

We initiate the black-box attacks directly against cloud services.

Most prior research used local models to test black-box attacks because sending queries to cloud services is slow, while querying a local model with GPU acceleration is much faster.

However, testing black-box attacks against local models could introduce several mistakes in the query process that gave their methtods an unfair advantage. For example, prior research usually resizes input images to be the same shape as the model input and then applies the perturbation, which means they assume they have access to the input shape of the model. Some methods outperformed the state-of-the-art partially because these mistakes gave them access to information that should not be assumed to be available in black-box attacks.

As a result, we initiate black-box attacks directly against cloud services to avoid making similar mistakes, and we apply the perturbation directly to the original input image. (3min)

Attacking Cloud APIs is more challenging than attacking local models

Attacking cloud APIs achieve less success rate than attacking local models.

Attacking cloud APIs requires more queries than attacking local models.

DeepAPI - The Cloud API we attack

We open-source our image classification cloud service for research on black-box attacks.

DeepAPI Deployment

Using Docker

                        
                            $ docker run -p 8080:8080 wuhanstudio/deepapi
                            Serving on port 8080...

Using Pip

                        
                            $ pip install deepapi

                            $ python -m deepapi
                            Serving on port 8080...

Horizontal Distribution

Horizontal distribution reduces the total attack time by a factor of five.

Vertical Distribution

Vertical distribution achieves succeesful attacks much earlier.

Conclusion

Thanks

https://distributed.wuhanstudio.uk

Source Code