Efficient black box adversarial attacks exploiting input data structure
US11455515B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Sep 24, 2019 |
| Grant date | Sep 27, 2022 |
| Priority date | — |
| Expiry date | Mar 22, 2041 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06T2207/20084
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
Markov random field parameters are identified to use for covariance modeling of correlation between gradient terms of a loss function of the classifier. A subset of images are sampled, from a dataset of images, according to a normal distribution to estimate the gradient terms. Black-box gradient estimation is used to infer values of the parameters of the Markov random field according to the sampling. Fourier basis vectors are generated from the inferred values. An original image is perturbed using the Fourier basis vectors to obtain loss function values. An estimate of a gradient is obtained from the loss function values. An image perturbation is created using the estimated gradient. The image perturbation is added to an original input to generate a candidate adversarial input that maximizes loss in identifying the image by the classifier. The neural network classifier is queried to determine a classifier prediction for the candidate adversarial input.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.