Practical Black-Box Attacks against Machine Learning

Papernot, Nicolas; McDaniel, Patrick; Goodfellow, Ian; Jha, Somesh; Celik, Z. Berkay; Swami, Ananthram

doi:10.1145/3052973.3053009

articleMar 31, 2017Closed access

Practical Black-Box Attacks against Machine Learning

NPNicolas Papernot PMPatrick McDaniel IGIan Goodfellow SJSomesh JhaZBZ. Berkay Celik

Pennsylvania State University · OpenAI (United States) · +2 more institutions

Indexed incrossref

Abstract

Machine learning (ML) models, e.g., deep neural networks (DNNs), are vulnerable to adversarial examples: malicious inputs modified to yield erroneous model outputs, while appearing unmodified to human observers. Potential attacks include having malicious content like malware identified as legitimate or controlling vehicle behavior. Yet, all existing adversarial example attacks require knowledge of either the model internals or its training data. We introduce the first practical demonstration of an attacker controlling a remotely hosted DNN with no such knowledge. Indeed, the only capability of our black-box adversary is to observe labels given by the DNN to chosen inputs. Our attack strategy consists in…

Citation impact

3,461

total citations

FWCI: 282.60
Percentile: 100%
References: 18

Citations per year

Authors

6

NP
Nicolas PapernotCorresponding
Pennsylvania State University
PM
Patrick McDaniel
Pennsylvania State University
IG
Ian Goodfellow
OpenAI (United States)
SJ
Somesh Jha
University of Wisconsin–Madison
ZB
Z. Berkay Celik
Pennsylvania State University

Topics & keywords

Topics

Keywords

Adversarial system
Computer science
Adversary
Black box
Malware
Deep neural networks
Artificial intelligence
Deep learning

UN Sustainable Development Goals

Peace, Justice and strong institutions

No related works found for this paper.

Funding

AR
Army Research Laboratory
Award: W911NF-13-2-0045