Perturbation Towards Easy Samples Improves Targeted Adversarial Transferability
Authors: Junqi Gao, Biqing Qi, Yao Li, Zhichang Guo, Dong Li, Yuming Xing, Dazhi Zhang
NeurIPS 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Experiments on the Image Net dataset shown that our method can obtain a better target transfer success rate than TTP, while requiring much less storage. Our method also has certain advantages in training time. In this section, we verify the effectiveness of our method through experiments on ILSVRC2012 dataset [41]. To evaluate the effectiveness of different components in our strategy, we conduct ablation experiments in Section 4.3. |
| Researcher Affiliation | Academia | Junqi Gao ,1, Biqing Qi ,2,3,4, Yao Li , 1, Zhichang Guo1, Dong Li1, Yuming Xing1, Dazhi Zhang1 1School of Mathematics, Harbin Institute of Technology 2Department of Control Science and Engineering, Harbin Institute of Technology 3C3I, Department of Electronic Engineering, Tsinghua University |
| Pseudocode | Yes | Algorithm 1 Mini-batch SGD Require: Initialized weights w1, total steps T, sample set S, batch size M and step size ηt. ... Algorithm 2 Target Anchor Screening Require: Early-stopping classifier fw, screening parameter q and sample set S. ... Algorithm 3 Training Strategy of ESMA Require: Generator Gθ with pre-trained embeddings, anchors ak, k [K] and Total epochs N. |
| Open Source Code | Yes | Our code is available at https://github.com/gjq100/ESMA |
| Open Datasets | Yes | The dataset we used comes from the ILSVRC2012 dataset [41], in which we selected ten classes as the training set, which refer to the ten classes used for TTP training in [24], they are 24, 99, 198, 245, 344, 471, 661, 701, 802, 919. |
| Dataset Splits | Yes | We train generators using images of these ten classes in the training set (1300 images per class), and use the images in the validation set (50 images per class) as the validation dataset for the targeted attack. |
| Hardware Specification | Yes | All methods (including training) were implemented on a single NVIDIA RTX A5000 GPU. |
| Software Dependencies | No | For the experiments on CIFAR10 mentioned in Section 2, we used the Py Torch framework. ... For the experiments in Section 4, we used the structure of following models: Res Net-50, VGG19bn, Dense Net-121, Res Net-152 from the torchvision 1 library, and others from the timm 2 library. The torchattacks 3 library is utilized for MIM, SI-NIM, TIM, and DIM. (No version numbers provided for these libraries.) |
| Experiment Setup | Yes | Parameter Setting For the parameter settings of different attack methods, we refer to the default settings in [20], total iteration number T = 20, step size α = ϵ/T, where the ℓ perturbation restriction ϵ is set to 16. Momentum factors µ is set to 1, for the stochastic input diversity in DIM, we set the probability of applying input diversity as 0.7. For TIM, the kernel-length is set to 7, which is more suitable for targeted attacks. For Po-TI-Trip, the weight of triplet loss λ is set to 0.01, while the margin γ is set to 0.007. Referring to [21], the number of iteration steps of Logit is set to 300, and for RAP-LS, we choose 400 iteration steps, KLS is set to 100, and ϵn is set to 12/255 [23]. Then for TTP, since we used a relatively small training set, we added 10 epochs to the original paper [24] settings to ensure the performance of the model, and the learning rate of Adam optimizer is 1e 4 (β1 = .5, β2 = .999). Finally, for our model, we used the Adam W optimizer to train 300 epochs with a learning rate of 1e 4 (350 for cases where the source model is VGG19bn or Dense121), the value of q used for sample screening is set to 2. |