Diversity can be Transferred: Output Diversification for White- and Black-box Attacks
Authors: Yusuke Tashiro, Yang Song, Stefano Ermon
NeurIPS 2020 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Empirically, we demonstrate that ODS significantly improves the performance of existing whitebox and black-box attacks. In particular, ODS reduces the number of queries needed for state-of-the-art black-box attacks on Image Net by a factor of two. |
| Researcher Affiliation | Collaboration | Yusuke Tashiro123*, Yang Song1, Stefano Ermon1 1Department of Computer Science, Stanford University, Stanford, CA, USA 2Mitsubishi UFJ Trust Investment Technology Institute, Tokyo, Japan 3Japan Digital Design, Tokyo, Japan |
| Pseudocode | Yes | We provide the pseudo-code for ODI in Algorithm A of the Appendix. and We give the pseudo-code of Sim BA [18] with ODS in Algorithm 1. |
| Open Source Code | No | The paper mentions external codebases and implementations (e.g., 'https://github.com/Madry Lab/mnist_challenge', 'We use the implementation in Foolbox [36]'), but it does not provide a statement or link for the open-source code of their proposed methodology (ODS). |
| Open Datasets | Yes | We perform attacks against three adversarially trained models from Madry Lab1 [2] for MNIST and CIFAR-10 and the Feature Denoising Res Net152 network2 [31] for Image Net. |
| Dataset Splits | No | The paper mentions using 'all test images on each dataset' and 'randomly sample 300 correctly classified images from the Image Net validation set,' implying standard splits, but it does not provide specific details on the training/validation/test dataset splits (e.g., percentages or exact counts) for reproducibility. |
| Hardware Specification | No | The paper does not provide specific hardware details (e.g., exact GPU/CPU models, memory amounts, or detailed computer specifications) used for running its experiments. |
| Software Dependencies | No | The paper mentions the use of third-party libraries like 'Foolbox [36]' and 'ART [37]' but does not provide specific version numbers for these or other software dependencies. |
| Experiment Setup | Yes | We set the same hyperparameters for Sim BA as [18]: the step size is 0.2 and the number of iterations (max queries) is 10000 (20000) for untargeted attacks and 30000 (60000) for targeted attacks. As the loss function in Sim BA, we employ the margin loss for untargeted attacks and the cross-entropy loss for targeted attacks. and Hyperparameters for RGF are same as [22] :max queries are 10000, sample size is 10, step size is 0.5 (ℓ2) and 0.005 (ℓ ), and epsilon is 0.001 2242 3 (ℓ2) and 0.05 (ℓ ). |