1

I am new to this stuff and trying to attack Random Forest with Black Box FGSM (from clever hans)

But I'm not sure how to implement it. They've a blackbox example for Mnist data but I dont understand where should I put my random forest and where should I attack. Any help would be appreciated.

Jeredriq Demas
  • 616
  • 1
  • 9
  • 36

1 Answers1

3

In the current tutorial, the black-box model is a neural network implemented with TensorFlow and its predictions (the labels) are used to train a substitute model (a copy of the black-box model). The substitute model is then used to craft adversarial examples that transfer to the black-box model.

In your case, you would have to replace bbox_val in 

bbox_val = batch_eval(sess, [x], [bbox_preds], [x_sub_prev],
                        args=eval_params)[0]

by the predictions of your random forest on the numpy array of substitute training data x_sub_prev.

You can find more information about the attack implemented in this tutorial in the following paper: https://arxiv.org/abs/1602.02697

Nicolas Papernot
  • 351
  • 1
  • 2
  • First of all, thank you so much @NicolasPapernot you've been a great help. So my random forest output will go into x_sub_prev as numpy array . I want to give the FGSM results as an input to next training cycle of random forest. So x_adv_sub would do the job in this case, right? – Jeredriq Demas Nov 27 '18 at 11:09
  • And what would be the Y part if I add x_adv_sub to mnist.X? – Jeredriq Demas Nov 27 '18 at 11:30
  • I was planning on putting random forest into prep_bbox function, and adding x_adv_sub to x_train parameter of that function – Jeredriq Demas Nov 27 '18 at 11:37
  • In the original black-box attack, you should not retrain the random forest with FGSM results because the random forest is acting as the black-box (oracle) model that you are trying to attack but do not have access to. If you are thinking of a different threat model, the answer to your question will depend on the specific threat model you are considering. – Nicolas Papernot Nov 27 '18 at 17:12
  • Well, all I wanna do is train MNIST with Random Forest, make an attack witih FGSM, add FGSM output as additional input to random forest and continuing this cycle. Would you advice for me to use cleverhans mnist_blackbox or making everything on my own using tensorflow? Time is the problem even though this is my first big project with python and machine learning (besides homeworks) I've to finish it fast. So in that aspect, what do you suggest @NicolasPapernot – Jeredriq Demas Nov 27 '18 at 18:36
  • In that case, I would recommend inspiring yourself from the FGSM tutorial with adversarial training, it will be closer to the pipeline you have in mind: https://github.com/tensorflow/cleverhans/blob/master/cleverhans_tutorials/mnist_tutorial_tf.py – Nicolas Papernot Nov 28 '18 at 19:11
  • The thing is it should be random forest so I've made changes around 96~108 in mnist_tutorial_tf.py and tried this https://github.com/Jeredriq/RF_BB_TF_FGSM/blob/master/mnist_tutorial_tf_random_forest.ipynb but did not work. I'm sorry for bugging you this much but I really need some help :( – Jeredriq Demas Nov 29 '18 at 00:13