@article{oai:ipsj.ixsq.nii.ac.jp:00222839,
 author = {由比藤, 真 and 米山, 一樹 and Makoto, Yuito and Kazuki, Yoneyama},
 issue = {12},
 journal = {情報処理学会論文誌},
 month = {Dec},
 note = {Adversarial AttacksはDeep Neural Network（DNN）における最大の脆弱性の1つである．最近では，Universal Adversarial Perturbation（UAP）と呼ばれる，任意の画像に加えることでAdversarial Examples（AE）を生成することができる単一の摂動を計算するUniversal Adversarial Attacks（UAA）が研究されている．いくつかの既存研究は，クエリアクセスのみを用いるBlack-box環境下でUAPを生成できることを示しているが，その多くは攻撃者にとって現実的ではないセッティングを含んでいる．本稿では，より現実的なセッティングに基づくBlack-box UAAを考え，効率良くUAPを生成するためのベイズ最適化を用いたBlack-box UAA手法を提案する．ImageNetでの実験において，提案手法は少ないデータ量・クエリ回数にもかかわらず，既存手法と同等の攻撃成功率（最高81%）を達成する．また，より多くのAEを生成することを目的とした場合に，提案手法が最先端のAdversarial Attacks手法のクエリ効率を上回ることを示す．, Adversarial attacks are one of the largest vulnerability of deep neural networks. Recently, universal adversarial attacks have also been studied. In the field of universal adversarial attacks, the attacker aims to compute a single perturbation, called universal adversarial perturbation (UAP), which can be added to any input image to produce an adversarial example. Several existing studies have shown that UAPs can be generated in a black-box setting, but most of them involve unrealistic settings for an attacker such as requiring huge amount of training data. We consider a more realistic setting and propose a black-box universal adversarial attack method using bayesian optimization to generate UAPs efficiently. In our experiments on ImageNet dataset, our method achieves the comparable attack success rate (up to 81%) as existing methods, despite the small amount of training data and number of queries. Moreover, we show that our method outperforms the state-of-the-art black-box adversarial attack method in terms of query efficiency when we aim to generate many adversarial examples.},
 pages = {1776--1785},
 title = {ベイズ最適化を用いたデータ・クエリ効率の良いBlack-box Universal Adversarial Attacks},
 volume = {63},
 year = {2022}
}