Improving Black-box Adversarial Attacks with a Transfer-based Prior
Authors: Shuyu Cheng, Yinpeng Dong, Tianyu Pang, Hang Su, Jun Zhu
NeurIPS 2019 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Extensive experiments demonstrate that our method requires much fewer queries to attack black-box models with higher success rates compared with the alternative state-of-the-art methods. |
| Researcher Affiliation | Academia | Shuyu Cheng , Yinpeng Dong , Tianyu Pang, Hang Su, Jun Zhu Dept. of Comp. Sci. and Tech., BNRist Center, State Key Lab for Intell. Tech. & Sys., Institute for AI, THBI Lab, Tsinghua University, Beijing, 100084, China {chengsy18, dyp17, pty17}@mails.tsinghua.edu.cn, {suhangss, dcszj}@mail.tsinghua.edu.cn |
| Pseudocode | Yes | Algorithm 1 Prior-guided random gradient-free (P-RGF) method |
| Open Source Code | Yes | Our code is available at: https://github.com/thu-ml/Prior-Guided-RGF. |
| Open Datasets | Yes | We perform untargeted attacks under both the ℓ2 and ℓ norms on the Image Net dataset [31]. [31] Olga Russakovsky, Jia Deng, Hao Su, Jonathan Krause, Sanjeev Satheesh, Sean Ma, Zhiheng Huang, Andrej Karpathy, Aditya Khosla, Michael Bernstein, et al. Imagenet large scale visual recognition challenge. International Journal of Computer Vision, 115(3):211 252, 2015. |
| Dataset Splits | Yes | We choose 1,000 images randomly from the validation set for evaluation. |
| Hardware Specification | No | The paper does not provide specific hardware details (e.g., GPU/CPU models, memory) used for running the experiments. |
| Software Dependencies | No | The paper does not provide specific software dependencies with version numbers. |
| Experiment Setup | Yes | We set the perturbation size as ϵ = 0.001 D and the learning rate as η = 2 in PGD under the ℓ2 norm, with images in [0, 1]. ... We set the number of queries as q = 50, and the sampling variance as σ = 0.0001 D. ... We set the dimension of the subspace as d = 50 50 3. ... For all methods, we restrict the maximum number of queries for each image to be 10,000. |