Associate Professor of Economics
University of Oklahoma
Research Affiliate
Institute for the Study of Labor (IZA)
Fellow
Global Labor Organization (GLO)
Contact:
Department of Economics
University of Oklahoma
322 CCD1, 308 Cate Center Drive
Norman, OK 73072
Hosted on GitHub Pages — Theme by orderedlist
HopSkipJumpAttack: A Query-Efficient Decision-Based Attack
The goal of a decision-based adversarial attack on a trained model is to generate adversarial examples based solely on observing output labels returned by the targeted model. We develop HopSkipJumpAttack, a family of algorithms based on a novel estimate of the gradient direction using binary information at the decision boundary. The proposed family includes both untargeted and targeted attacks optimized for \(l_2\) and \(l_\infty\) similarity metrics respectively. Theoretical analysis is provided for the proposed algorithms and the gradient direction estimate. Experiments show HopSkipJumpAttack requires significantly fewer model queries than several state-of-the-art decision-based adversarial attacks. It also achieves competitive performance in attacking several widely-used defense mechanisms.
Aha! Adaptive History-driven Attack for Decision-based Black-box Models
The decision-based black-box attack means to craft adversarial examples with only the top-1 label of the victim model available. A common practice is to start from a large perturbation and then iteratively reduce it with a deterministic direction and a random one while keeping it adversarial. The limited information obtained from each query and inefficient direction sampling impede attack efficiency, making it hard to obtain a small enough perturbation within a limited number of queries. To tackle this problem, we propose a novel attack method termed Adaptive History-driven Attack (AHA) which gathers information from all historical queries as the prior for current sampling. Moreover, to balance between the deterministic direction and the random one, we dynamically adjust the coefficient according to the ratio of the actual magnitude reduction to the expected one. Such a strategy improves the success rate of queries during optimization, letting adversarial examples move swiftly along the decision boundary. Our method can also integrate with subspace optimization like dimension reduction to further improve efficiency. Extensive experiments on both ImageNet and CelebA datasets demonstrate that our method achieves at least 24.3% lower magnitude of perturbation on average with the same number of queries. Finally, we prove the practical potential of our method by evaluating it on popular defense methods and a real-world system provided by MEGVII Face++.
BO-DBA: Query-Efficient Decision-Based Adversarial Attacks via Bayesian Optimization
Decision-based attacks (DBA), wherein attackers perturb inputs to spoof learning algorithms by observing solely the output labels, are a type of severe adversarial attacks against Deep Neural Networks (DNNs) requiring minimal knowledge of attackers. State-of-the-art DBA attacks relying on zeroth-order gradient estimation require an excessive number of queries. Recently, Bayesian optimization (BO) has shown promising in reducing the number of queries in score-based attacks (SBA), in which attackers need to observe real-valued probability scores as outputs. However, extending BO to the setting of DBA is nontrivial because in DBA only output labels instead of real-valued scores, as needed by BO, are available to attackers. In this paper, we close this gap by proposing an efficient DBA attack, namely BO-DBA. Different from existing approaches, BO-DBA generates adversarial examples by searching so-called directions of perturbations. It then formulates the problem as a BO problem that minimizes the real-valued distortion of perturbations. With the optimized perturbation generation process, BO-DBA converges much faster than the state-of-the-art DBA techniques. Experimental results on pre-trained ImageNet classifiers show that BO-DBA converges within 200 queries while the state-of-the-art DBA techniques need over 15,000 queries to achieve the same level of perturbation distortion. BO-DBA also shows similar attack success rates even as compared to BO-based SBA attacks but with less distortion.
CGBA: Curvature-aware Geometric Black-box Attack
Decision-based black-box attacks often necessitate a large number of queries to craft an adversarial example. Moreover, decision-based attacks based on querying boundary points in the estimated normal vector direction often suffer from inefficiency and convergence issues. In this paper, we propose a novel query-efficient c ¯ urvatureaware g ¯ eometric decision-based b ¯ lack-box a ¯ ttack (CGBA) that conducts boundary search along a semicircular path on a restricted 2D plane to ensure finding a boundary point successfully irrespective of the boundary curvature. While the proposed CGBA attack can work effectively for an arbitrary decision boundary, it is particularly efficient in exploiting the low curvature to craft high-quality adversarial examples, which is widely seen and experimentally verified in commonly used classifiers under non-targeted attacks. In contrast, the decision boundaries often exhibit higher curvature under targeted attacks. Thus, we develop a new query-efficient variant, CGBA-H, that is adapted for the targeted attack. In addition, we further design an algorithm to obtain a better initial boundary point at the expense of some extra queries, which considerably enhances the performance of the targeted attack. Extensive experiments are conducted to evaluate the performance of our proposed methods against some well-known classifiers on the ImageNet and CIFAR10 datasets, demonstrating the superiority of CGBA and CGBA-H over state-of-the-art non-targeted and targeted attacks, respectively. The source code is available at https://github.com/Farhamdur/CGBA.
GeoDA: a geometric framework for black-box adversarial attacks
Adversarial examples are known as carefully perturbed images fooling image classifiers. We propose a geometric framework to generate adversarial examples in one of the most challenging black-box settings where the adversary can only generate a small number of queries, each of them returning the top-1 label of the classifier. Our framework is based on the observation that the decision boundary of deep networks usually has a small mean curvature in the vicinity of data samples. We propose an effective iterative algorithm to generate query-efficient black-box perturbations with small ℓp norms for p ≥ 1, which is confirmed via experimental evaluations on state-of-the-art natural image classifiers. Moreover, for p = 2, we theoretically show that our algorithm actually converges to the minimal ℓ2- perturbation when the curvature of the decision boundary is bounded. We also obtain the optimal distribution of the queries over the iterations of the algorithm. Finally, experimental results confirm that our principled black-box attack algorithm performs better than state-of-the-art algorithms as it generates smaller perturbations with a reduced number of queries.
Hard-label based Small Query Black-box Adversarial Attack
We consider the hard-label based black-box adversarial attack setting which solely observes the target model’s predicted class. Most of the attack methods in this setting suffer from impractical number of queries required to achieve a successful attack. One approach to tackle this drawback is utilising the adversarial transferability between white-box surrogate models and blackbox target model. However, the majority of the methods adopting this approach are soft-label based to take the full advantage of zeroth-order optimisation. Unlike mainstream methods, we propose a new practical setting of hard-label based attack with an optimisation process guided by a pre-trained surrogate model. Experiments show the proposed method significantly improves the query efficiency of the hard-label based black-box attack across various target model architectures. We find the proposed method achieves approximately 5 times higher attack success rate compared to the benchmarks, especially at the small query budgets as 100 and 250.
Policy-Driven Attack: Learning to Query for Hard-label Black-box Adversarial Examples
To craft black-box adversarial examples, adversaries need to query the victim model and take proper advantage of its feedback. Existing black-box attacks generally suffer from high query complexity, especially when only the top-1 decision (i.e., the hard-label prediction) of the victim model is available. In this paper, we propose a novel hard-label black-box attack named Policy-Driven Attack, to reduce the query complexity. Our core idea is to learn promising search directions of the adversarial examples using a well-designed policy network in a novel reinforcement learning formulation, in which the queries become more sensible. Experimental results demonstrate that our method can significantly reduce the query complexity in comparison with existing state-of-the-art hard-label black-box attacks on various image classification benchmark datasets. Code and models for reproducing our results are available at https://github.com/ZiangYan/ pda.pytorch.
QEBA: Query-Efficient Boundary-Based Blackbox Attack
Machine learning (ML), especially deep neural networks (DNNs) have been widely used in various applications, including several safety-critical ones (e.g. autonomous driving). As a result, recent research about adversarial examples has raised great concerns. Such adversarial attacks can be achieved by adding a small magnitude of perturbation to the input to mislead model prediction. While several whitebox attacks have demonstrated their effectiveness, which assume that the attackers have full access to the machine learning models; blackbox attacks are more realistic in practice. In this paper, we propose a Query-Efficient Boundary-based blackbox Attack (QEBA) based only on model’s final prediction labels. We theoretically show why previous boundary-based attack with gradient estimation on the whole gradient space is not efficient in terms of query numbers, and provide optimality analysis for our dimension reduction-based gradient estimation. On the other hand, we conducted extensive experiments on ImageNet and CelebA datasets to evaluate QEBA. We show that compared with the state-of-the-art blackbox attacks, QEBA is able to use a smaller number of queries to achieve a lower magnitude of perturbation with 100% attack success rate. We also show case studies of attacks on real-world APIs including MEGVII Face++ and Microsoft Azure.
Sign-OPT: A Query-Efficient Hard-label Adversarial Attack
We study the most practical problem setup for evaluating adversarial robustness of a machine learning system with limited access: the hard-label black-box attack setting for generating adversarial examples, where limited model queries are allowed and only the decision is provided to a queried data input. Several algorithms have been proposed for this problem but they typically require huge amount (>20,000) of queries for attacking one example. Among them, one of the state-of-the-art approaches (Cheng et al., 2019) showed that hard-label attack can be modeled as an optimization problem where the objective function can be evaluated by binary search with additional model queries, thereby a zeroth order optimization algorithm can be applied. In this paper, we adopt the same optimization formulation but propose to directly estimate the sign of gradient at any direction instead of the gradient itself, which enjoys the benefit of single query. Using this single query oracle for retrieving sign of directional derivative, we develop a novel query-efficient Sign-OPT approach for hard-label black-box attack. We provide a convergence analysis of the new algorithm and conduct experiments on several models on MNIST, CIFAR-10 and ImageNet. We find that Sign-OPT attack consistently requires 5× to 10× fewer queries when compared to the current state-of-the-art approaches, and usually converges to an adversarial example with smaller perturbation.
SurFree: a fast surrogate-free black-box attack
Machine learning classifiers are critically prone to evasion attacks. Adversarial examples are slightly modified inputs that are then misclassified, while remaining perceptively close to their originals. Last couple of years have witnessed a striking decrease in the amount of queries a black box attack submits to the target classifier, in order to forge adversarials. This particularly concerns the black box score-based setup, where the attacker has access to top predicted probabilites: the amount of queries went from to millions of to less than a thousand. This paper presents SurFree, a geometrical approach that achieves a drastic reduction in the amount of queries in the hardest setup: black box decision-based attacks (only the top-1 label is available). We first highlight that the most recent attacks in that setup, HSJA [3], QEBA [14] and GeoDA [23] all perform costly gradient surrogate estimations. SurFree proposes to bypass these, by instead focusing on careful trials along diverse directions, guided by precise indications of geometrical properties of the classifier decision boundaries. We motivate this geometric approach before performing a head-to-head comparison with previous attacks with the amount of queries as a first class citizen. We exhibit a faster distortion decay under low query amounts (few hundreds to a thousand), while remaining competitive at higher query budgets.
Triangle Attack: A Query-efficient
Decision-based attack poses a severe threat to real-world applications since it regards the target model as a black box and only accesses the hard prediction label. Great efforts have been made recently to decrease the number of queries; however, existing decision-based attacks still require thousands of queries in order to generate good quality adversarial examples. In this work, we find that a benign sample, the current and the next adversarial examples can naturally construct a triangle in a subspace for any iterative attacks. Based on the law of sines, we propose a novel Triangle Attack (TA) to optimize the perturbation by utilizing the geometric information that the longer side is always opposite the larger angle in any triangle. However, directly applying such information on the input image is ineffective because it cannot thoroughly explore the neighborhood of the input sample in the high dimensional space. To address this issue, TA optimizes the perturbation in the low frequency space for effective dimensionality reduction owing to the generality of such geometric property. Extensive evaluations on ImageNet dataset show that TA achieves a much higher attack success rate within 1,000 queries and needs a much less number of queries to achieve the same attack success rate under various perturbation budgets than existing decision-based attacks. With such high efficiency, we further validate the applicability of TA on real-world API, i.e., Tencent Cloud API.
Beating the Heat: Temperature and Spatial Reallocation over the Long Run
with Christos Makridis.
Does temperature affect real economic activity? Using the annual Current Population Survey between 1963 and 2015, we show that there is no association between temperature and earnings, hours, or output after controlling for time-invariant spatial heterogeneity and time-varying demographic factors. These results are robust to five separate sources of micro-data, different sampling horizons, functional forms, spatial measures of temperature, and subsets of the data. This paper studies the relationship between temperature and productivity across space and time. Motivated by these null results, we develop a spatial equilibrium model where temperature can affect not only firm productivity, but also individual locational choice. After calibrating the model, we use it to disentangle the role of reallocation versus actual productivity losses in the U.S. economy between 1980 and 2015. Nearly all of the variation is driven by reallocation. We subsequently use the model to evaluate a counterfactual climate scenario and recover a new spatial equilibrium for the U.S. economy by 2050.
The Role of Supply and Demand Factors in Explaining the Migration of College Majors
This paper documents a new stylized fact about the United States labor market: internal migration rates are dramatically different across college majors. For some college majors, migration rates are even lower than those without a college degree. I relate major migration rates with majors' spatial concentration and find that a major's spatial concentration explains about one fourth of the cross-major variation in migration rates. With this descriptive evidence as a guide, I estimate a structural model of locational choice where college graduates have heterogeneous preferences---at the detailed major level---for living close to home, and for working in a location with a high concentration of their fellow majors. Using estimates of the structural model, I decompose the cross-major migration rates into supply and demand factors and find that supply factors (i.e. moving costs) explain the vast majority of differences in migration rates across majors. My findings underscore the difficulty in attracting college majors to a particular location using demand-side investments. My results also highlight the importance of place in determining the labor market outcomes of college majors.
Measuring Women's Wage Returns to Human Capital
with Jared Ashworth.
This paper estimates the wage returns to schooling and actual early work experiences for young women using the NLSY surveys. We estimate a dynamic model of young women’s schooling, work, marriage and fertility decisions in order to account for the likely impacts on future wages. The results of the model without controlling for the decision process indicate a negative effect of children on earnings. Our full model explains how this occurs, demonstrating the importance of modeling these key life decisions, while controlling for unobserved ability.
What is the Role of College Athletics? An Analysis of the Population of NCAA Athletes
with Ahmed El Fatmaoui.
Coming soon.
Credit Constraints, College Major Choices, and Upward Mobility
with Menaka Hampole and Johnathan G. Conzelmann.
We investigate how easing credit constraints affects college graduates' choices in majors and migration, focusing on the impact of student loan debt. Using a rich dataset combining university, credit bureau, and other records, we examine the effects of loan reduction or "No Loan" policies at select universities on students' major choices and migration decisions. By analyzing data across different dimensions, including parental financial constraints and socioeconomic networks, we aim to provide new insights into the relationship between education financing and upward economic mobility.
Elevation in Obesity: Uncovering the Geographical Aspects of Health
with Pallab Ghosh.
Coming soon.
Why Are Americans Still Becoming More Obese? Causes Beyond Caloric Imbalances
In the U.S. and other developed countries, obesity rates have risen despite stabilized caloric intake and increased physical activity, challenging the traditional energy balance model. This proposal introduces a metabolic-centric model, grounded in recent biochemistry advances, to explain this paradox. It posits that metabolic disruptions, driven by factors such as increased levels of Omega-6 fatty acids in the food supply, environmental contaminants, or microbiome changes, are key. I critically review data sources and empirical evidence supporting these channels. Furthermore, I outline how economists, with their unique perspectives on incentives and tradeoffs, can contribute to innovative solutions for the obesity epidemic.