Attacker Capabilities & Knowledge Clause Samples
Attacker Capabilities & Knowledge for the majority of this chapter, we model all attackers who interact with StratDef in a gray-box setting with limited knowledge about the target model, like previous work [162, 118, 185, 28]. In our threat model, attackers have access to the same training data as the target model and knowledge of the feature representation. However, attackers have no knowledge of the parameters, configurations, or constituent models of StratDef nor any other evaluated defenses. Therefore, they must train substitute models using the training data and attack them, in the expectation that the generated adversarial examples will transfer to the target model [207, 118, 157]. This is based on the well-established idea that adversarial examples for different models can be used to evade the target model [207]. furthermore, we use different scenarios involving attacker capabilities and attack intensities with the goal of studying and evaluating the performance of StratDef under different threat levels, like in prior work [44, 46, 28, 203, 192, 168]. Attackers’ capabilities may differ in the behavior, the strength and intensity of their attacks, their ability to generate adversarial examples, and more. Later, in Section 3.4.4, we describe precisely how we model different profiles for representing attackers with different capabilities. Nonetheless, for deployment, in the absence of any information about the operating environment, StratDef assumes the highest threat level, consisting of the most adverse environment and the strongest attacker. However, if there is information about the operating environment and/or the attackers within it (e.g., through cyber- threat intelligence [197, 238] or situational awareness), StratDef can use it to provide a more targeted defensive approach. Therefore, in our evaluation (see Section 3.5 later), we show how St▇▇▇▇▇▇ ▇erforms against different attacker scenarios and intensities to show the whole range of its capabilities. Nonetheless, for the comparison with other defenses later, we focus on the strongest attacker, as this is the default scenario when no information is available about the attacker or environment. Additionally, we evaluate StratDef’s performance against a black-box attacker with zero knowledge, as featured in previous work [102, 162, 157, 181, 159, 36, 52, 68, 75, 128]. This attacker only has access to the predictions of StratDef and no other knowledge. The attacker therefore performs a transferability attack, in which they constr...
Attacker Capabilities & Knowledge. We model two types of attackers with different levels of knowledge, as commonly featured in prior work [102, 118, 162]. Importantly, neither attacker knows that the target model is an MTD. The limited-knowledge gray-box attacker has access to the same training data as the target model and has knowledge of the feature representation as well as the statistical representation of the features across the dataset. However, they have no knowledge of the parameters, configurations, or constituent models of the target model. This could represent an example of when some sensitive model information may have been leaked. Therefore, following the discussion in Section 2.2.5.2, which we expand on later, for transferability attacks, the gray-box attacker trains substitute models using the training data and attacks them with the aim of having the adversarial examples transfer to the oracle [207, 118, 157]. Meanwhile, to conduct query attacks, the gray-box attacker uses their extensive knowledge to apply suitable perturbations using a software transplantation-based approach in a heuristically-driven manner.