ELAA: An Ensemble-Learning-Based Adversarial Attack Targeting Image-Classification Model

• Published in: Entropy (Basel, Switzerland) Vol. 25; no. 2; p. 215
• Main Authors: Fu, Zhongwang, Cui, Xiaohui
• Format: Journal Article
• Language: English
• Published: Switzerland MDPI AG 22.01.2023; MDPI
• Subjects: adversarial attack; Artificial intelligence; black-box attack; Classification; Computer architecture; Deep learning; Denial of service attacks; Ensemble learning; Image classification; Image processing; Machine learning; Methods; Prevention; reinforcement learning; security of AI; Success; Teaching methods; China; adversarial attack; ensemble learning; security of AI; image classification; black-box attack; reinforcement learning
• ISSN: 1099-4300; 1099-4300
• DOI: 10.3390/e25020215

The research on image-classification-adversarial attacks is crucial in the realm of artificial intelligence (AI) security. Most of the image-classification-adversarial attack methods are for white-box settings, demanding target model gradients and network architectures, which is less practical when facing real-world cases. However, black-box adversarial attacks immune to the above limitations and reinforcement learning (RL) seem to be a feasible solution to explore an optimized evasion policy. Unfortunately, existing RL-based works perform worse than expected in the attack success rate. In light of these challenges, we propose an ensemble-learning-based adversarial attack (ELAA) targeting image-classification models which aggregate and optimize multiple reinforcement learning (RL) base learners, which further reveals the vulnerabilities of learning-based image-classification models. Experimental results show that the attack success rate for the ensemble model is about 35% higher than for a single model. The attack success rate of ELAA is 15% higher than those of the baseline methods.