Distributed Black-box Attack: Do Not Overestimate Black-box Attacks
Han Wu, Sareh Rowlands, Johan Wahlstrom
TL;DR
This paper investigates the practical threat of black-box adversarial attacks on cloud-based image classification APIs, showing that prior high-efficiency claims often rely on offline/local-model evaluation and information unavailable to cloud services. By conducting online attacks using realistic pipelines and introducing open-source tools (DeepAPI and Black-box Adversarial Toolbox) along with horizontal and vertical distribution strategies, it demonstrates significantly lower attack success under $L_{\infty}$ constraints with budgeted perturbations $\epsilon$ compared to local-model scenarios. The work emphasizes the need for realistic evaluation of cloud APIs and provides concrete methods to study practical attacks, ultimately suggesting cloud services are more robust in practice. These findings have implications for API providers and researchers, guiding more credible threat assessments and defense-oriented research.
Abstract
As cloud computing becomes pervasive, deep learning models are deployed on cloud servers and then provided as APIs to end users. However, black-box adversarial attacks can fool image classification models without access to model structure and weights. Recent studies have reported attack success rates of over 95% with fewer than 1,000 queries. Then the question arises: whether black-box attacks have become a real threat against cloud APIs? To shed some light on this, our research indicates that black-box attacks are not as effective against cloud APIs as proposed in research papers due to several common mistakes that overestimate the efficiency of black-box attacks. To avoid similar mistakes, we conduct black-box attacks directly on cloud APIs rather than local models.