Why Do Adversarial Attacks Transfer? Explaining Transferability of Evasion and Poisoning Attacks

Ambra Demontis
First
;
Marco Melis;Maura Pintor;Battista Biggio
;
Fabio Roli
2019

Abstract

Transferability captures the ability of an attack against a machine-learning model to be effective against a different, potentially unknown, model. Empirical evidence for transferability has been shown in previous work, but the underlying reasons why an attack transfers or not are not yet well understood. In this paper, we present a comprehensive analysis aimed to investigate the transferability of both test-time evasion and training-time poisoning attacks. We provide a unifying optimization framework for evasion and poisoning attacks, and a formal definition of transferability of such attacks. We highlight two main factors contributing to attack transferability: the intrinsic adversarial vulnerability of the target model, and the complexity of the surrogate model used to optimize the attack. Based on these insights, we define three metrics that impact an attack’s transferability. Interestingly, our results derived from theoretical analysis hold for both evasion and poisoning attacks, and are confirmed experimentally using a wide range of linear and non-linear classifiers and datasets.
Inglese
28th USENIX Security Symposium
978-193913306-9
USENIX Association
USENIX Security 19
321
338
18
28th USENIX Security Symposium (USENIX Security 19)
Esperti anonimi
August 14-16
Santa Clara, CA, USA
internazionale
scientifica
4 Contributo in Atti di Convegno (Proceeding)::4.1 Contributo in Atti di convegno
Demontis, Ambra; Melis, Marco; Pintor, Maura; Jagielski, Matthew; Biggio, Battista; Oprea, Alina; Nita-Rotaru, Cristina; Roli, Fabio
273
8
4.1 Contributo in Atti di convegno
none
info:eu-repo/semantics/conferencePaper
Files in This Item:
There are no files associated with this item.

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.

Questionnaire and social

Share on:
Impostazioni cookie