Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models
Authors: Wieland Brendel *, Jonas Rauber *, Matthias Bethge
ICLR 2018 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We quantify the performance of the Boundary Attack on three different standard datasets: MNIST (Le Cun et al., 1998), CIFAR-10 (Krizhevsky & Hinton, 2009) and Image Net-1000 (Deng et al., 2009). ... We evaluate the Boundary Attack in two settings... We show adversarial samples synthesized by the Boundary Attack for each dataset in Figure 3. ... In this section we apply the Boundary Attack to two models of the cloud-based computer vision API by Clarifai6. |
| Researcher Affiliation | Academia | Wieland Brendel , Jonas Rauber & Matthias Bethge Werner Reichardt Centre for Integrative Neuroscience, Eberhard Karls University T ubingen, Germany {wieland,jonas,matthias}@bethgelab.org |
| Pseudocode | Yes | Algorithm 1: Minimal version of the Boundary Attack. Data: original image o, adversarial criterion c(.), decision of model d(.) Result: adversarial example o such that the distance d(o, o) = o o 2 2 is minimized initialization: k = 0, o0 U(0, 1) s.t. o0 is adversarial; while k < maximum number of steps do draw random perturbation from proposal distribution ηk P( ok 1); if ok 1 + ηk is adversarial then set ok = ok 1 + ηk; else set ok = ok 1; end k = k + 1 end |
| Open Source Code | Yes | An implementation of the attack is available as part of Foolbox (https://github.com/bethgelab/foolbox). |
| Open Datasets | Yes | We quantify the performance of the Boundary Attack on three different standard datasets: MNIST (Le Cun et al., 1998), CIFAR-10 (Krizhevsky & Hinton, 2009) and Image Net-1000 (Deng et al., 2009). |
| Dataset Splits | Yes | For MNIST and CIFAR we evaluate 1000 randomly drawn samples from the validation set, for Image Net we use 250 images. |
| Hardware Specification | No | The paper does not provide specific details regarding the hardware (e.g., GPU/CPU models, memory) used for running the experiments. |
| Software Dependencies | Yes | We use the implementation in Foolbox 0.10.0 (Rauber et al., 2017). |
| Experiment Setup | Yes | The Boundary Attack has only two relevant parameters: the length of the total perturbation δ and the length of the step ϵ towards the original input (see Fig. 2). We adjust both parameters dynamically according to the local geometry of the boundary. |