A New Ensemble Adversarial Attack Powered by Long-Term Gradient Memories
Authors: Zhaohui Che, Ali Borji, Guangtao Zhai, Suiyi Ling, Jing Li, Patrick Le Callet3405-3413
AAAI 2020 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Experiments indicate that our method outperforms state-of-the-art ensemble attacks over multiple pixel-to-pixel vision tasks including image translation and salient region prediction. Our method successfully fools two online black-box saliency prediction systems including Deep Gaze-II (Kummerer 2017) and SALICON (Huang et al. 2017). |
| Researcher Affiliation | Collaboration | 1Shanghai Jiao Tong University, Shanghai, China 2Markable AI Inc., Brooklyn, NY 11201 USA 3Universit e de Nantes, Nantes, France 4Alibaba Group, Hangzhou, China |
| Pseudocode | Yes | Algorithm 1 : Intra-batch update rules of SMBEA. This algorithm is applicable to the first mini-batch. mt represents the 1st gradient momentum vector, while vt represents the 2nd gradient momentum vector. is an element-wise product. ... Algorithm 2 : Inter-batch update rules of SMBEA. This algorithm is applicable to all mini-batches, except for the first one, i.e. i > 1. Notice that the superscript in brackets denotes the batch number, e.g. I (i) X is the adversary of the ith batch, while the superscript w/o brackets denotes the pow, e.g. βi 3 denotes the β3 to the power i. |
| Open Source Code | Yes | Finally, we also contribute a new repository to promote the research on adversarial attack and defense over pixel-to-pixel tasks: https://github.com/CZHQuality/AAA-Pix2pix. |
| Open Datasets | Yes | To explore the generalization ability of SMBEA, we conduct experiments on 4 pixel-to-pixel vision datasets, i.e. Cityspaces (Cordts and Omran 2016), Facades (Tylecek 2013), Google Satellites, and LSUN 17 (Jiang et al. 2015). |
| Dataset Splits | No | For selecting the good settings, we test these hyper-parameters by line-searching on 2 validation datasets, i.e. Cityspaces and LSUN 17. ... For Cityspaces, we select 1000 Semantic label & Real photo pairs as test set. For Facades, we select 400 Architectural label & Real photo pairs. For Google Satellites, we select 1000 Google Map & Satellite Image pairs. For LSUN 17, we select 1000 Real Photo & Saliency Map pairs. The paper explicitly mentions validation datasets and test set sizes, but does not specify the train/validation/test split percentages or total dataset sizes for reproduction. |
| Hardware Specification | No | The paper mentions 'GPU memory' in the context of limitations of prior work, but does not provide specific details about the hardware (e.g., GPU models, CPU types, or memory) used for running experiments. |
| Software Dependencies | No | The paper mentions various optimizers and methods (e.g., Adam, SGD, MSGD), but does not provide specific version numbers for software dependencies like programming languages or libraries required for reproduction. |
| Experiment Setup | Yes | In our implementation, each single mini-batch includes K=4 white-box source models... The default decay factors are set as μ1 = 0.9 and μ2 = 0.99. ϵ = 1 × 10−8 is a smoothing term... The maximum number of iterations X for a single batch is 20. The iterative gradient descent step size α = 2 × 10−4. We adopt L1 norm as the perceptual constraint. Finally, we clip the crafted adversary I t into the range [0, 1]... In our implementation, the default settings are β1 = 0.10, β2 = 0.01, β3 = 0.60. For different tasks, we select different task-specific loss metrics... For image-translation, we use a linear combination of Mean Absolute Error (MAE), negative Pearson’s Linear Correlation Coefficient (CC), and VGG loss... For saliency prediction, we use a linear combination of Kullback-Leibler divergence (KL), MAE, and negative CC as L1. We use KL as feature-space fooling ability loss L3... For the saliency prediction task, we adopt 16 state-of-the-art deep saliency models as the raw source models. ... we obtain 48 source models in total. |