DifAttack: Query-Efficient Black-Box Adversarial Attack via Disentangled Feature Space
Authors: Jun Liu, Jiantao Zhou, Jiandian Zeng, Jinyu Tian
AAAI 2024 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Extensive experimental results demonstrate that our method achieves significant improvements in ASR and query efficiency simultaneously, especially in the targeted attack and open-set scenarios. Experiments In this section, we compare our Dif Attack (Dif) with SOTA score-based black-box attack methods in both the close-set and open-set scenarios. Ablation experiments on the DF module and τ in Eq.(9) are also conducted. |
| Researcher Affiliation | Academia | 1 State Key Laboratory of Internet of Things for Smart City, Department of Computer and Information Science, University of Macau 2 Institute of Artificial Intelligence and Future Networks, Beijing Normal University 3 School of Computer Science and Engineering, Macau University of Science and Technology |
| Pseudocode | Yes | Algorithm 1: The proposed Dif Attack method. Input: target classifier F; clean image x; max query budget Q > 0; distortion budget ϵ; ground-truth label y; learning rate η; variance σ; v, k in Eq.(8); sample scale τ. Output: Adversarial image x .... |
| Open Source Code | Yes | The code is available at https://github.com/csjunjun/Dif Attack.git. |
| Open Datasets | Yes | Datasets. We mainly conduct experiments on the large-scale Image Net-1k, small-scale Cifar-10 and Cifar-100 datasets. |
| Dataset Splits | No | We randomly select a target class and 1,000 images, excluding those belonging to the selected class, as the test set. The paper does not specify the training and validation splits. |
| Hardware Specification | No | The paper does not provide specific hardware details (e.g., CPU, GPU models, memory) used for the experiments. |
| Software Dependencies | No | The paper mentions "torchvision2" and links to `https://pytorch.org/vision/stable/index.html` but does not specify exact version numbers for PyTorch or other libraries. |
| Experiment Setup | Yes | Parameters. Following many previous works, we also set the maximum perturbation on Image Net to 12/255, and on CIFAR-10 as well as CIFAR-100 to 8/255. The maximum query number for these three datasets is set to 10,000. For the real-world Imagga API, the maximum query number is limited to 500 due to their query limit. In our Dif Attack, we set λ = 1, σ = 0.1, η = 0.01, k = 5 or 0 for Eq.(3) and (9). Additionally, in targeted attacks, we generally set τ to the optimal value of most classifiers, which is 12. In untargeted attacks, τ is usually set to 8. |