Blackbox Attacks via Surrogate Ensemble Search
Authors: Zikui Cai, Chengyu Song, Srikanth Krishnamurthy, Amit Roy-Chowdhury, Salman Asif
NeurIPS 2022 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We perform extensive experiments for (score-based) blackbox attacks using a variety of surrogate and blackbox victim models for both targeted and untargeted attacks. |
| Researcher Affiliation | Academia | Zikui Cai, Chengyu Song, Srikanth Krishnamurthy, Amit Roy-Chowdhury, M. Salman Asif, University of California Riverside |
| Pseudocode | Yes | Algorithm 1 Perturbation Machine: δ, x?(w) = PM(x, w, δinit) and Algorithm 2 BASES: Blackbox Attack via Surrogate Ensemble Search |
| Open Source Code | Yes | Our code is available at https://github.com/CSIPlab/BASES. |
| Open Datasets | Yes | We mainly use 1000 Image Net-like images from the Neur IPS-17 challenge [55, 56], which provides the ground truth label and a target label for each image. |
| Dataset Splits | No | The paper uses pre-trained models and evaluates on 1000 Image Net-like images from the NeurIPS-17 challenge, but does not explicitly state training/validation/test dataset splits for their own experimental setup. |
| Hardware Specification | Yes | In our experiments, one query generation with {4, 10, 20} surrogate models requires nearly {2.4s, 9.6s, 18s} per image on Nvidia Ge Force RTX 2080 TI. |
| Software Dependencies | No | The paper mentions PyTorch Torchvision [30] but does not provide specific version numbers for software dependencies like Python or PyTorch libraries. |
| Experiment Setup | Yes | In contrast with TREMBA and GFCS, which set the maximum query count to 10, 000 and 50, 000, respectively, we set the maximum count to be 500 and only run our method for 50 queries in the worst case. We evaluated our method under both l1 and l2 norm bound, with commonly used perturbation budgets of 1/16 and 2/255... For attacking Google Cloud Vision API, we reduce the norm bound to 1/12. We vary our ensemble size N ∈ {4, 10, 20} by picking the first N model from the set. |