AGS: Affordable and Generalizable Substitute Training for Transferable Adversarial Attack
Authors: Ruikui Wang, Yuanfang Guo, Yunhong Wang
AAAI 2024 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Extensive experiments demonstrate that our AGS achieves comparable or superior performance compared to substitute models pretrained on the complete Image Net training set, when executing attacks across a diverse range of target models, including Vi Ts, robustly trained models, object detection and segmentation models. |
| Researcher Affiliation | Academia | Ruikui Wang1,2, Yuanfang Guo1,2*, Yunhong Wang2 1State Key Laboratory of Software Development Environment, Beihang University, China 2School of Computer Science and Engineering, Beihang University, China {rkwang, andyguo, yhwang}@buaa.edu.cn |
| Pseudocode | No | The paper provides mathematical formulations and conceptual diagrams but does not include any explicitly labeled 'Pseudocode' or 'Algorithm' blocks, nor does it present structured steps in a code-like format. |
| Open Source Code | Yes | Our source codes are available at https://github.com/lwmming/AGS. |
| Open Datasets | Yes | We train our substitute models on three unlabeled datasets, i.e., COCO (40k samples)(Lin et al. 2014), Comics (50k samples)(Cenk Bircanoglu 2017) and Paintings (79k samples)(Painter by Number 2017), respectively. For evaluation, we draw 5k images from the validation set of Image Net (Russakovsky et al. 2015). |
| Dataset Splits | No | The paper states: 'We train our substitute models on three unlabeled datasets, i.e., COCO (40k samples), Comics (50k samples) and Paintings (79k samples), respectively.' And 'For evaluation, we draw 5k images from the validation set of Image Net.' However, it does not specify how the training datasets (COCO, Comics, Paintings) were split into training/validation/test subsets for the substitute model's own training process. The ImageNet validation set is used for the final evaluation, effectively as a test set. |
| Hardware Specification | Yes | For the training of one AGS model, about 17 hours are demanded on a single RTX 3090 GPU, which is an affordable cost compared to training a pretrained Res Net50 model. |
| Software Dependencies | No | The paper mentions using a 'classical SGD algorithm' and various model architectures, but it does not list specific software dependencies such as programming language versions or library versions (e.g., PyTorch, TensorFlow, or CUDA versions) required to replicate the experiments. |
| Experiment Setup | Yes | Our substitute model is randomly initialized. We train it via classical SGD algorithm with a fixed learning rate of 0.1. The batch size is set to 64. The weight decay is set to 1e-4. We set ϵtrain in Eq. (6) as 1.0 and λ in Eq. (9) as 0.1. The total training epoch is set to 100. The number of iterations for Eq. (6) is set to 1. For the training of one AGS model, about 17 hours are demanded on a single RTX 3090 GPU, which is an affordable cost compared to training a pretrained Res Net50 model. After the substitute model is trained, we conduct transfer-based attack, where ϵtest is set to 0.1, the step size is set to 1/255 and the number of iterations is set to 300. The intermediate layer l selected in Eq. (10) is layer2. |