Generate Universal Adversarial Perturbations for Few-Shot Learning
Authors: Yiman Hu, Yixiong Zou, Ruixuan Li, Yuhua Li
NeurIPS 2024 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | This paper demonstrates the ineffectiveness of traditional UAPs in open-set scenarios like Few-Shot Learning (FSL). Through analysis, we identify two primary challenges that hinder the attacking process: the task shift and the semantic shift. To enhance the transferability of UAPs in FSL, we propose a unifying attacking framework addressing these two shifts. The task shift is addressed by aligning proxy tasks to the downstream tasks, while the semantic shift is handled by leveraging the generalizability of pre-trained encoders.The proposed Few-Shot Attacking Frame Work, denoted as FSAFW, can effectively generate UAPs across various FSL training paradigms and different downstream tasks. Our approach not only sets a new standard for state-of-the-art works but also significantly enhances attack performance, exceeding the baseline method by over 16%.To better understand how to effectively attack the FSL tasks, we conducted a comprehensive evaluation and analysis of the challenges involved |
| Researcher Affiliation | Academia | Yiman Hu Yixiong Zou Ruixuan Li Yuhua Li School of Computer Science and Technology, Huazhong University of Science and Technology {imane, yixiongz, rxli, idcliyuhua}@hust.edu.cn |
| Pseudocode | No | Our final method can be summarized in the following steps: (1) Sample 5-way 1-shot tasks from the proxy dataset. (2) Calculate prototypes for each class in the proxy tasks. (3) Compute the fooling loss based on the distance between the query sample and class prototypes. (4) Optimize the perturbation generator to produce a highly transferable UAP in FSL. By following these steps, our method systematically generates universal adversarial perturbations that are robust and generalizable across different tasks. (These are descriptive steps, not a formally labeled pseudocode or algorithm block.) |
| Open Source Code | Yes | Does the paper provide open access to the data and code, with sufficient instructions to faithfully reproduce the main experimental results, as described in supplemental material? Answer: [Yes] Justification: We have reported the detailed settings and hyper-parameters. We will release our codes. |
| Open Datasets | Yes | We utilize three widely used datasets in Few-Shot Learning (FSL) as the proxy dataset: CIFAR-FS[4], mini-Image Net[43], and Tiered-Image Net[34]. Both CIFAR-FS and mini-Image Net datasets comprise images from 100 categories, divided into 64 classes for training, 16 for validation, and 20 for testing. Tiered-Image Net, a more extensive subset of Image Net [9], consists of 608 classes (779,165 images) organized into 34 high-level categories, which are further split into 351 training classes, 97 validation classes, and 160 testing classes. |
| Dataset Splits | Yes | Both CIFAR-FS and mini-Image Net datasets comprise images from 100 categories, divided into 64 classes for training, 16 for validation, and 20 for testing. |
| Hardware Specification | No | Does the paper provide sufficient information on the computer resources (type of compute workers, memory, time of execution) needed to reproduce the experiments? Answer: [Yes] Justification: We have reported the computer resources in the implementation details. (However, the 'implementation details' section 6.1 does not provide specific hardware information such as GPU/CPU models, memory, or cloud instances. It only mentions model backbones.) |
| Software Dependencies | No | All the victim models are downloaded from the Libfewshot[21], a comprehensive Library for FSL. (Mentions Libfewshot and Adam optimizer, but no specific version numbers for software libraries like Python, PyTorch, TensorFlow, etc., are provided.) |
| Experiment Setup | Yes | The generator network, following the approach described in [52], was optimized using the Adam optimizer with an initial learning rate of 0.0002. The perturbation was kept within an ℓ -norm bound of ϵ = 10, considering pixel values in the range of 0 to 255. Additional FSL testing configurations follow the details provided in Libfewshot. |