About attack types

[Lexton123]

Hi, Dainel:

I read in some other papers that they defined Meta-attack as a grey-box attack. What do you think of this?

When using a surrogate model, we don't have any parameters about the target model. In this case, can't it be counted as a black-box attack? Perhaps it is because of the use of complete datasets, such as training labels.

I'm confused that the definition of grey-box and black-box, in the field of graph adversarial.

I will appreciate if you could share your thoughts with me.

[danielzuegner]

Hi,

if you can point me to some of the places I can have a look. I don't think there's a formal definition of black vs. grey-box, and the fact that we're doing poisoning further complicates the picture. I would say that, since we match the architecture of the surrogate model quite closely to the target model (message-passing, two layers), it could be fair to call it a grey-box attack. Moreover, as you mention, we assume that we know the training labels & training data.

[Lexton123]

Thank you very much for your reply. I seem to know the reason why it is defined as a grey-box attack. As you mentioned, the structure of the surrogate model and the target model are almost the same. However, most black-box only have the ability to query and can't access the training labels.

If you are interested, you can browse this review.

Thank you sincerely.