Direct Attack

In a direct attack, the attacker is able to submit inputs to the actual target and receive corresponding results, enabling accurate feedback to refine adversarial input.

In such an attack, the adversary is unlikely to have access to more detail than the restricted responses that the target system returns.¹ Additionally, the feedback may not be direct but inferred; for example, failure of a video to be successfully uploaded might suggest that it has been classified as containing violent content, although the adversary did not receive this classification explicitly. Creation of adversarial input will therefore require a black box approach. As discussed in “Limited Black Box Methods”, black box approaches iteratively refine queries submitted to the system based on the responses returned to morph the input and move it to the required adversarial area of the input space.

A direct attack poses a significant problem. Finding that perfect adversarial input using a black box approach such as a boundary attack takes many iterations (tens of thousands). Each iteration also requires a handful of queries to the target DNN. That’s a lot of queries, which are unlikely to go unnoticed by the defending organization! What’s more, the throughput and latency of a commercial deployment will slow the rate at which these queries can be processed. In fact, the target system might also limit queries or introduce latency to responses specifically to protect against such an attack. If the attacker is fortunate enough to have access to the scores returned from the target, it may be possible to reduce the query volume through more intelligent strategies, such as the genetic algorithm approach described in “Score-Based Black Box Methods”. However, as discussed previously, access to the scores is likely to be limited.

The direct approach considers the complete processing chain and any active defenses being employed by the system, not only the DNN. So, although an attacker may use one of the other nondirect approaches to develop an attack, an element of direct experimentation on the target is likely to be critical to ensure the adversarial robustness of the input.

Replica Attack

An obvious approach to developing adversarial input is to use an exact replica of the target to finesse the adversarial input, prior to launching it on the target. We’ll consider a couple of scenarios: when the attacker has access to a replica of the complete target, and when the attacker has access to just the DNN algorithm.

Replica system

It is possible for the attacker to have a local copy of the complete target system to experiment with. For example, a commercially purchased digital voice assistant or perhaps an autonomous vehicle. An attacker could develop their own adversarial input on their local target by repetitive simulation queries and monitoring of the responses using a black box method.²

In practice, target systems that are commercially available to buy (not web hosted) will often not accept input digitally and return a digital response. For example, a commercially purchased digital assistant is unlikely to provide a nice programming interface to its internal processing chain for the attacker to use to iteratively refine the adversarial input based on repeated queries. Rather, it will take audio input and return audio (speech) or instigate some digital command (such as an online purchase). Automating the generation of adversarial input will be more challenging when the interaction (request or response) is not digital.

Similar to the black box attack, access to a complete replica enables the attacker to test their attack against the complete processing chain, not just against the target DNN.

Replica DNN

Armed with information about all aspects of the trained DNN under attack (that is, the model architecture and all its parameters), the attacker is in a strong position to generate adversarial input. In traditional software terms, it’s akin to having knowledge of the source code of an internal algorithm in a target system. With this knowledge and sufficient capability, the attacker can create a replica of the DNN and use any method they wish on the replica to create adversarial examples that exploit flaws in the target DNN exactly.

Using a copy of the target to develop adversarial input might seem like a no-brainer, but where would an attacker get access to a replica? Surely a security conscious organization would never knowingly share any algorithm that it uses internally? This isn’t necessarily true—as DNNs typically require large amounts of labeled data, computational resource, and a data scientist to train effectively, it would not be unreasonable for an organization to use a pretrained model obtained commercially or through open source, simply to save on time and resources. If the attacker was aware of the model being used and has some access to an identical one (either by creating a replica or using an existing published copy) they would be able to launch a replica attack. Even if the attacker had no insider knowledge of the model being used, they might be able to infer likely models from those publicly available and through educated guesswork about the target organization’s internal processing.

Transfer Attack

When the adversary does not have access to the DNN algorithm used by the defending organization, it might be possible to use a good-enough approximation of the target DNN to develop adversarial input prior to launching it on the target. This is called a transfer attack.

The transfer attack strategy is likely to be the most feasible approach in many real-life scenarios where the internal DNN implementation is unknown outside the defending organization. This approach is also preferable to a direct attack because the development of the adversarial example is performed without querying the target. Thus, it does not arouse suspicion and is not subject to any limitations on or throttling of queries.

In a transfer attack, the adversary creates a substitute model to develop the adversarial input based on some limited knowledge of the target DNN. They use white box, score-based black box, or limited black box methods on this substitute to refine the adversarial example, prior to submitting it to the target. As with a replica attack, they may not need to create their own substitute model, or they might be able to exploit an existing one (for example, an online model with open API access).

There is, of course, an obvious problem for the attacker: the substitute needs to be behave in a similar way to the target, at least on the adversarial input. So, without access to the exact model, how easy would it be to create something that was close enough to work?

Creating something akin to the target system’s DNN might appear to be an insurmountable problem. Think of the complexity of a DNN: how many layers does it have, what activation functions does it use, what’s its structure, and what are its possible outputs? Is it really possible to create adversarial input using an approximate model substitute that will transfer effectively to the target system?

The answer is quite surprising. It turns out that, with limited access to information about the model, it is sometimes possible to create an imitation close enough to the original to develop adversarial examples that will transfer between the two models.³ To understand why this is the case, consider what defines a DNN:

Input and output mappings

This includes the format and precision of the input and the allowable outputs. In the case of a DNN classifier, there’s the set of classifications and potentially the hierarchical structure of those classes (e.g., “dog” is a subset of the “animal” class).

Internal architecture

The network type (for example LSTM or CNN), its layers, and number of nodes for each layer. This includes details of the activation function(s); basically, the aspects of the model defined prior to training.

Parameters

The weights and biases established during training.

The adversary might be able to make an educated guess regarding certain aspects of these. For example, for the DNN architecture, it’s likely that image classification is performed with some type of convolutional network. The adversary may also be able to guess the resolution of the input and possible output predictions (even without information on the exhaustive list of classifications).

Given that the attacker has made some informed guesswork about the network architecture and input/output mappings, let’s consider the case where they have access to some, or all, of the training data. This is not an unreasonable assumption as, due to the cost of generating and labeling training data, training sets are often shared online.

Knowing the training data can enable the attacker to create a good approximation of the target model, even if they’re able to infer very little about its architecture. Put another way, two models with different architectures are likely to be susceptible to similar adversarial examples if they have been trained with the same data. This idea is illustrated in in Figure 7-2. Two completely different models trained on the same data are likely to establish similar prediction landscapes. This is as you would expect because the training data itself is obviously instrumental in defining the model parameters.

Figure 7-2. Input spaces of target and substitute models with training data indicated

Regions of the input space where the model returns an incorrect result are known as adversarial subspaces. These subspaces are where the training step has failed to generalize correctly. Therefore, they are likely to be at similar locations in models that share training data. Therefore, it’s probable, but not guaranteed, that an adversarial example would transfer successfully if the substitute model shared its training data with its target.

To illustrate the notion of similar adversarial subspaces across models, Figure 7-3 depicts this idea using the prediction landscapes of the two models shown in Figure 7-2. The models have similar adversarial subspaces as they are based on the same training data. Hence, adversarial examples are likely to transfer across these models.

Figure 7-3. Input spaces of target and substitute models with adversarial subspaces indicated in white

As we will see in Chapter 10, the ability to approximate a DNN model based on knowledge of the training data has important implications for information security. Training datasets should therefore be considered sensitive artifacts as they indirectly imply behavior of the machine learned models that they are used to train.

Universal Transfer Attack

A universal transfer attack is a method exploited when the adversary has no knowledge of the target DNN or its training data. In this scenario, the adversary creates adversarial input using an ensemble of substitute models. If the example works across a variety of substitutes, it may be flexible enough to transfer to the target.

It’s interesting that although training datasets may differ, they are likely to populate similar areas of the input space if they are derived from information representing the natural world. The areas of the model where there is a lack of representative data (corresponding to OoD data⁴) are likely to be similar regardless of the training dataset. Training datasets are also likely to bear similarities to each other due to (for example) common camera angles or common voice characteristics. In other words, different training datasets may have similar distributions in terms of characteristics, features, and, most importantly, adversarial subspaces.

Universal adversarial subspaces make a universal transfer attack possible. It is (unsurprisingly) more difficult to achieve, but the ability to launch a universal transfer attack is very powerful to an adversary. Adversarial input that works across models also allows an attack across a group of DNNs (such as multiple search engines). Once again, in practice an attacker might combine a universal transfer attack with direct experimentation (see the following sidebar for an example).

A most interesting application of the universal attack is in cases where the attacker receives no feedback from the target because the target organization is processing the data for its own purposes (market analysis, for example). We could consider this a “black hole” attack; the adversary may never know whether it succeeded and will need a high degree of tolerance to failure.