Since the training data for the target model in a data-free black-box attack
is not available, most recent schemes utilize GANs to generate data for
training substitute model. However, these GANs-based schemes suffer from low
training efficiency as the generator needs to be retrained for each target
model during the substitute training process, as well as low generation
quality. To overcome these limitations, we consider utilizing the diffusion
model to generate data, and propose a data-free black-box attack scheme based
on diffusion model to improve the efficiency and accuracy of substitute
training. Despite the data generated by the diffusion model exhibits high
quality, it presents diverse domain distributions and contains many samples
that do not meet the discriminative criteria of the target model. To further
facilitate the diffusion model to generate data suitable for the target model,
we propose a Latent Code Augmentation (LCA) method to guide the diffusion model
in generating data. With the guidance of LCA, the data generated by the
diffusion model not only meets the discriminative criteria of the target model
but also exhibits high diversity. By utilizing this data, it is possible to
train substitute model that closely resemble the target model more efficiently.
Extensive experiments demonstrate that our LCA achieves higher attack success
rates and requires fewer query budgets compared to GANs-based schemes for
different target models.

采用扩散模型生成数据的无数据黑盒攻击方法，结合潜在代码增强 (LCA) 技术，提高代替模型的训练效率和准确性，对不同目标模型具有更高的攻击成功率和较少的查询预算。

基于扩散模型的无数据黑盒攻击

Data-free Black-box Attack based on Diffusion Model

Deep neural network (DNN) as a popular machine learning model is found to be
vulnerable to adversarial attack. This attack constructs adversarial examples
by adding small perturbations to the raw input, while appearing unmodified to
human eyes but will be misclassified by a well-trained classifier. In this
paper, we focus on the black-box attack setting where attackers have almost no
access to the underlying models. To conduct black-box attack, a popular
approach aims to train a substitute model based on the information queried from
the target DNN. The substitute model can then be attacked using existing
white-box attack approaches, and the generated adversarial examples will be
used to attack the target DNN. Despite its encouraging results, this approach
suffers from poor query efficiency, i.e., attackers usually needs to query a
huge amount of times to collect enough information for training an accurate
substitute model. To this end, we first utilize state-of-the-art white-box
attack methods to generate samples for querying, and then introduce an active
learning strategy to significantly reduce the number of queries needed.
Besides, we also propose a diversity criterion to avoid the sampling bias. Our
extensive experimental results on MNIST and CIFAR-10 show that the proposed
method can reduce more than $90\%$ of queries while preserve attacking success
rates and obtain an accurate substitute model which is more than $85\%$ similar
with the target oracle.

本文探究了 DNN 的黑盒攻击方案，使用现有的白盒攻击方法产生的采样样本进行训练替代模型，并提出主动学习策略和多样性准则以优化其表现，实验证明该方法可以将查询数量减少超过 90% 并保持黑盒攻击成功率。

主动学习实现的查询效率高的黑盒攻击

Query-Efficient Black-Box Attack by Active Learning

Many machine learning models are vulnerable to adversarial examples: inputs
that are specially crafted to cause a machine learning model to produce an
incorrect output. Adversarial examples that affect one model often affect
another model, even if the two models have different architectures or were
trained on different training sets, so long as both models were trained to
perform the same task. An attacker may therefore train their own substitute
model, craft adversarial examples against the substitute, and transfer them to
a victim model, with very little information about the victim. Recent work has
further developed a technique that uses the victim model as an oracle to label
a synthetic training set for the substitute, so the attacker need not even
collect a training set to mount the attack. We extend these recent techniques
using reservoir sampling to greatly enhance the efficiency of the training
procedure for the substitute model. We introduce new transferability attacks
between previously unexplored (substitute, victim) pairs of machine learning
model classes, most notably SVMs and decision trees. We demonstrate our attacks
on two commercial machine learning classification systems from Amazon (96.19%
misclassification rate) and Google (88.94%) using only 800 queries of the
victim model, thereby showing that existing machine learning approaches are in
general vulnerable to systematic black-box attacks regardless of their
structure.

对机器学习模型的黑盒攻击是可能的，即使它们的结构不同。通过生成对抗性样本，并利用受害者模型标记合成训练集，攻击者可以训练出自己的替代模型，并将对抗性样本转移到受害者模型中实施攻击，该方法可以使用新的技术使攻击过程更加有效率，在 Amazon 和 Google 等公司的商业机器学习分类系统中展示了攻击的有效性。