Bayesian-optimization-based query-efficient black-box adversarial attacks

Assignee

• Robert Bosch GmbH · DE

Inventors

• Satya Narayan Shukla · Amherst, US
• Anit Kumar Sahu · Pittsburgh, US
• Devin T. WILLMOTT · Pittsburgh, US
• Jeremy Zieg Kolter · Pittsburgh, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06V10/82
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

Performing an adversarial attack on a neural network classifier is described. A dataset of input-output pairs is constructed, each input element of the input-output pairs randomly chosen from a search space, each output element of the input-output pairs indicating a prediction output of the neural network classifier for the corresponding input element. A Gaussian process is utilized on the dataset of input-output pairs to optimize an acquisition function to find a best perturbation input element from the dataset. The best perturbation input element is upsampled to generate an upsampled best input element. The upsampled best input element is added to an original input to generate a candidate input. The neural network classifier is queried to determine a classifier prediction for the candidate input. A score for the classifier prediction is computed. The candidate input is accepted as a successful adversarial attack responsive to the classifier prediction being incorrect.