Deep Q learning for fooling neural networks

11/13/2018

∙

Deep learning models are vulnerable to external attacks. In this paper, we propose a Reinforcement Learning (RL) based approach to generate adversarial examples for the pre-trained (target) models. We assume a semi black-box setting where the only access an adversary has to the target model is the class probabilities obtained for the input queries. We train a Deep Q Network (DQN) agent which, with experience, learns to attack only a small portion of image pixels to generate non-targeted adversarial images. Initially, an agent explores an environment by sequentially modifying random sets of image pixels and observes its effect on the class probabilities. At the end of an episode, it receives a positive (negative) reward if it succeeds (fails) to alter the label of the image. Experimental results with MNIST, CIFAR-10 and Imagenet datasets demonstrate that our RL framework is able to learn an effective attack policy.

READ FULL TEXT

Deep Q learning for fooling neural networks

A New Ensemble Method for Concessively Targeted Multi-model Attack

Siamese networks for generating adversarial examples

Query-Efficient Black-Box Attack by Active Learning

Minimalistic Attacks: How Little it Takes to Fool a Deep Reinforcement Learning Policy

Sparse Black-box Video Attack with Reinforcement Learning

Sequential Attacks on Agents for Long-Term Adversarial Goals

AdvGAN++ : Harnessing latent layers for adversary generation

Deep Q learning for fooling neural networks

Related Research

A New Ensemble Method for Concessively Targeted Multi-model Attack

Siamese networks for generating adversarial examples

Query-Efficient Black-Box Attack by Active Learning

Minimalistic Attacks: How Little it Takes to Fool a Deep Reinforcement Learning Policy

Sparse Black-box Video Attack with Reinforcement Learning

Sequential Attacks on Agents for Long-Term Adversarial Goals

AdvGAN++ : Harnessing latent layers for adversary generation