Transferability Attacks Sample Clauses

Transferability Attacks. In transferability attacks, attackers construct substitute models that are approximations of the oracle, as detailed in Section 2.2.5.2. Adversarial examples are then generated for these substitute models in anticipation that they will transfer to the oracle [87, 157, 160, 207, 181, 36, 131]. To evaluate MTDs against transferability attacks, we use practical strategies from prior work as well as our own novel ones. Attack strategies from prior work are included as baselines and to show MTDs’ performance with already existing, general strategies that are not tailored to MTDs. These include the strategies discussed in Section 2.4.2; namely the Single DNN strategy [157], where a single DNN is used as the substitute model [157, 181, 36], and the Ensemble DNN strategy [131], where several ▇▇▇▇ are used as the substitute models. Additionally, we propose a novel attack strategy that specifically considers that the target model may be an MTD. Even if, per our threat model, attackers do not know the target model is an MTD, we can try this attack strategy to achieve maximal evasion against such target models, nonetheless. With our transferability attack strategy, we present two main improvements over previous strategies, with an overview of the key steps provided in figure 4.1. first, our strategy utilizes an ensemble of diverse substitute models (including different ML families). Second, as a novel technique to increase attack success against MTDs, our attack strategy aims to maximize the transferability of adversarial examples across substitute models prior to evaluating them on the oracle by checking transferability across (part of) the substitute models. We include these two additions because MTDs may change the model used for predictions dynamically, and so ensuring a degree of transferability of adversarial examples between diverse substitute models maximizes success on the oracle, as we confirm later on experimentally. We next describe each of the key steps of our strategy in detail.