AMEBA: An Adaptive Approach to the Black-Box Evasion of Machine Learning Models

Abstract

Machine learning (ML) models are vulnerable to evasion attacks, where the attacker adds almost imperceptible perturbation to a correctly classified instance so as to induce misclassification. In the black-box setting where the attacker only has query access to the target model, traditional attack strategies exploit a property known as transferability, i.e., the empirical observation that evasion attacks often generalize across different models. The attacker can thus rely on the following two-step attack strategy: (i) query the target model to learn how to train a surrogate model approximating it; and (ii) craft evasion attacks against the surrogate model, hoping that they “transfer” to the target model. Since the two phases are assumed to be strictly separated, this strategy is sub-optimal and under-approximates the possible actions that a real attacker might take. In this thesis we present AMEBA, the first adaptive approach to the black-box evasion of machine learning models. We describe the reduction from the two-step evasion problem to the MAB problem that allows us to exploit the Thompson sampling algorithm to define AMEBA. As a result, AMEBA infers the best alternation of actions for surrogate model training and evasion attack crafting. We choose multiple datasets and ML models to compare the two attack strategies. Our experiments show that AMEBA outperforms the traditional two-steps attack strategy and is perfectly appropriate for practical usage.