Print Email Facebook Twitter Black-box Adversarial Attacks using Substitute models Title Black-box Adversarial Attacks using Substitute models: Effects of Data Distributions on Sample Transferability Author Vigilanza Lorenzo, Pietro (TU Delft Electrical Engineering, Mathematics and Computer Science) Contributor Roos, S. (mentor) Huang, J. (mentor) Hong, C. (mentor) Lan, G. (graduation committee) Degree granting institution Delft University of Technology Programme Computer Science and Engineering Project CSE3000 Research Project Date 2022-06-24 Abstract Machine Learning (ML) models are vulnerable to adversarial samples — human imperceptible changes to regular input to elicit wrong output on a given model. Plenty of adversarial attacks assume an attacker has access to the underlying model or access to the data used to train the model. Instead, in this paper we focus on the effects the data distributions has on the transferability of adversarial samples under a ``black-box'' scenario. We assume an attacker has to train a separate model (the ``substitute model'') and generate adversaries using this independent model. The substitute models are trained with different data distributions: symmetric, cross-section or completely disjoint data to the one used to train the target model. The results demonstrate that an attacker only needs semantically similar data to execute an effective attack using a substitute model and well-known gradient based adversarial generation techniques. Under ideal attack scenarios, target model accuracies can drop below 50\%. Furthermore, our research shows that generating adversarial images from an ensemble increases average attack success. Subject Adversarial attacksMachine learningSemantic SimilarityPytorchpython To reference this document use: http://resolver.tudelft.nl/uuid:bcbc50b1-479a-4738-89dc-645456cffd82 Part of collection Student theses Document type bachelor thesis Rights © 2022 Pietro Vigilanza Lorenzo Files PDF final_paper_pv.pdf 816.06 KB Close viewer /islandora/object/uuid:bcbc50b1-479a-4738-89dc-645456cffd82/datastream/OBJ/view