Belangrijkste concepten
The core message of this paper is to propose a novel Latent Code Augmentation (LCA) method that leverages the pre-trained Stable Diffusion model to efficiently generate data for training a substitute model that closely resembles the target model, thereby enabling effective black-box attacks without access to the target model's training data.
Samenvatting
The paper presents a two-stage data-free substitute attack scheme that utilizes the pre-trained Stable Diffusion (SD) model.
In the first stage, the authors infer member data that matches the distribution of the target model using Membership Inference (MI) and encode them into a codebook.
In the second stage, the authors propose Latent Code Augmentation (LCA) to augment the latent codes of the member data and use them as guidance for the SD to generate diverse data that aligns with the target model's data distribution.
The generated data is then used to train the substitute model, which is subsequently used to generate adversarial samples for attacking the target model.
The key highlights of the paper are:
- The authors leverage the pre-trained SD model to efficiently generate diverse data, overcoming the limitations of GAN-based schemes that require retraining the generator for each target model.
- The proposed LCA method guides the SD to generate data that closely matches the data distribution of the target model, addressing the issues of domain mismatch and class imbalance in the generated data.
- Extensive experiments demonstrate that the authors' LCA-based scheme outperforms state-of-the-art GAN-based substitute attack methods in terms of attack success rates and query efficiency across different target models and datasets.
Statistieken
"A little imperceptible adversarial perturbations can cause autonomous vehicles to make wrong decisions, leading to severe consequences."
"The substitute-based schemes utilize knowledge distillation methods to make the output of the substitute model fit the output of the target model."
"The data continuously generated by the LCA-guided SD in Stage 2 is used to train the substitute model."
Citaten
"To overcome these limitations, we consider utilizing the diffusion model to generate data, and propose a novel data-free substitute attack scheme based on the Stable Diffusion (SD) to improve the efficiency and accuracy of substitute training."
"Thanks to the LCA guidance, the SD is able to generate images that are consistent with the data distribution of the member data."
"Experimental results demonstrate that our LCA is able to significantly improve the substitute training efficiency and outperforms the existing state-of-the-art (SOTA) substitute attack solutions based on GANs in scenarios where no training data from the target model is available."