Boosting the Transferability of Adversarial Attacks with Reverse Adversarial Perturbation
Authors: Zeyu Qin, Yanbo Fan, Yi Liu, Li Shen, Yong Zhang, Jue Wang, Baoyuan Wu
NeurIPS 2022 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Comprehensive experimental comparisons demonstrate that RAP can significantly boost adversarial transferability. Furthermore, RAP can be naturally combined with many existing black-box attack techniques, to further boost the transferability. When attacking a real-world image recognition system, i.e., Google Cloud Vision API, we obtain 22% performance improvement of targeted attacks over the compared method. |
| Researcher Affiliation | Collaboration | 1School of Data Science, Shenzhen Research Institute of Big Data, The Chinese University of Hong Kong, Shenzhen 2Tencent AI Lab 3JD Explore Academy |
| Pseudocode | Yes | Algorithm 1 Reverse Adversarial Perturbation (RAP) Algorithm |
| Open Source Code | Yes | Our codes are available at: https://github.com/SCLBD/Transfer_attack_RAP. |
| Open Datasets | Yes | We conduct the evaluation on the Image Net-compatible dataset 1 comprised of 1,000 images. Publicly available from https://github.com/cleverhans-lab/cleverhans/tree/master/ cleverhans_v3.1.0/examples/nips17_adversarial_competition/dataset |
| Dataset Splits | No | The paper does not explicitly provide validation dataset splits in the main text. |
| Hardware Specification | No | The paper does not explicitly specify hardware used for experiments such as GPU models or CPU types in the main text. |
| Software Dependencies | No | The paper does not explicitly provide specific software dependencies with version numbers in the main text. |
| Experiment Setup | Yes | Implementation Details. For untargeted attack, we adopt the Cross Entropy (CE) loss. For targeted attack, apart from CE, we also experiment with the logit loss... The adversarial perturbation ϵ is restricted by ℓ = 16/255. The step size α is set as 2/255 and number of iteration K is set as 400 for all attacks... For RAP, we set KLS as 100 and αn as 2/255. We set ϵn as 12/255 for I and TI in untargeted attack and 16/255 for other attacks in all other settings. |