A Frank-Wolfe Framework for Efficient and Effective Adversarial Attacks
Authors: Jinghui Chen, Dongruo Zhou, Jinfeng Yi, Quanquan Gu3486-3494
AAAI 2020 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | The empirical results of attacking the Image Net and MNIST datasets also verify the efficiency and effectiveness of the proposed algorithms. More specifically, our proposed algorithms attain the best attack performances in both white-box and black-box attacks among all baselines, and are more time and query efficient than the state-of-the-art. |
| Researcher Affiliation | Collaboration | Jinghui Chen,1 Dongruo Zhou,1 Jinfeng Yi,2 Quanquan Gu1 1Department of Computer Science, University of California, Los Angeles 2JD AI Research |
| Pseudocode | Yes | Algorithm 1 Frank-Wolfe White-box Attack Algorithm; Algorithm 2 Frank-Wolfe Black-box Attack Algorithm; Algorithm 3 GRAD EST(x, b, δ) |
| Open Source Code | No | The paper does not contain any explicit statement about providing open-source code for the methodology, nor does it provide a link to a code repository. |
| Open Datasets | Yes | We compare the performance of all attack algorithms by evaluating on both MNIST (Le Cun 1998) and Image Net (Deng et al. 2009) datasets. |
| Dataset Splits | No | The paper uses pre-trained models and selects attack examples from existing test and validation sets (e.g., 'randomly choose 250 images from its validation set as our attack examples' for Image Net, and '1000 images from its test set' for MNIST). It does not provide specific training/validation/test splits for reproducing the training of the models themselves. |
| Hardware Specification | Yes | All of our experiments are conducted on Amazon AWS p3.2xlarge servers which come with Intel Xeon E5 CPU and one NVIDIA Tesla V100 GPU (16G RAM). |
| Software Dependencies | Yes | All experiments are implemented in Tensorflow platform version 1.10.0 within Python 3.6.4. |
| Experiment Setup | Yes | We choose ϵ = 0.3 for MNIST dataset and ϵ = 0.05 for Image Net dataset. For our proposed black-box attack, we test both options in Algorithm 3. We performed grid search to tune the hyper-parameters for all algorithm to ensure a fair comparison. Detailed description on hyperparameter tuning and parameter settings can be found in the Appendix. The maximum query limit is set to be 50, 000 per attack. |