BayesOpt Adversarial Attack
Authors: Binxin Ru, Adam Cobb, Arno Blaas, Yarin Gal
ICLR 2020 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We demonstrate empirically that our method 1 can achieve comparable success rates with 2-5 times fewer queries compared to previous stateof-the-art black-box attacks. We empirically compare the performance of our Bayes Opt attacks against the state-of-the-art blackbox methods such as ZOO (Chen et al., 2017), Auto ZOOM(Tu et al., 2018) and Gen Attack (Alzantot et al., 2018). |
| Researcher Affiliation | Academia | Binxin Ru, Adam D. Cobb, Arno Blaas Machine Learning Research Group, Department of Engineering Science, University of Oxford {robin, acobb, arno}@robots.ox.ac.uk Yarin Gal OATML Research Group, Department of Computer Science, University of Oxford yarin.gal@cs.ox.ac.uk |
| Pseudocode | Yes | Algorithm 1 Bayes Opt Attack; Algorithm 3 Bayes Opt Algorithm (in Appendix A) |
| Open Source Code | Yes | 1Our code is available at https://github.com/rubinxin/Bayes Opt_Attack.git |
| Open Datasets | Yes | The target models that we attack follow the same architectures as that used in Auto ZOOM and Gen Attack; These are image classifiers for MNIST (a CNN with 99.5% test accuracy) and CIFAR10 (a CNN with 80% test accuracy). Following the experiment design in (Tu et al., 2018), we randomly select 50 correctly classified images from CIFAR10 test data and MNIST test data. For Image Net, we also select 50 correctly classified images from the test set but perform one random targeted attack for each image. |
| Dataset Splits | No | The paper mentions “test data” for evaluating attacks but does not specify how the datasets themselves were split into train/validation/test for the target models or for their own method's training (if any, as it's an attack method). It focuses on attacking pre-trained models. For example, “We randomly select 50 correctly classified images from CIFAR10 test data and MNIST test data.” only specifies the source for test images for their attack, not how the original models were trained or any validation splits for their own method. |
| Hardware Specification | No | The paper does not provide specific details on the hardware used, such as GPU models, CPU types, or memory. |
| Software Dependencies | No | The paper does not explicitly list software dependencies with version numbers, such as specific deep learning frameworks (e.g., TensorFlow, PyTorch) or scientific computing libraries. |
| Experiment Setup | Yes | We set δmax = 0.3 for attacking MNIST and δmax = 0.05 for CIFAR10 and Image Net, which are used in (Alzantot et al., 2018). For all the Bayes Opt methods, we use GP-UCB as the acquisition function 3 and update the GP hyperperameters every 5 Bayes Opt iterations. We relearn the optimal dr for GP-BOauto-dr and the search space decomposition for ADDGP-BO every 40 iterations. |