Policy-Driven Attack: Learning to Query for Hard-label Black-box Adversarial Examples
Authors: Ziang Yan, Yiwen Guo, Jian Liang, Changshui Zhang
ICLR 2021 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | In this section, we evaluate the effectiveness of our method on three datasets: MNIST (Le Cun et al., 2010), CIFAR-10 (Krizhevsky & Hinton, 2009), and Image Net (Russakovsky et al., 2015). We compare our method with Boundary Attack (Brendel et al., 2018) and Hop Skip Jump Attack (Chen et al., 2020) in both untargeted and targeted settings, and the required ℓ2 distortions given a specific query budget are evaluated, as in recent related work (Brendel et al., 2018; Chen et al., 2020; Li et al., 2020a). |
| Researcher Affiliation | Collaboration | Ziang Yan1,2*, Yiwen Guo2*, Jian Liang3, Changshui Zhang1 1 Institute for Artificial Intelligence, Tsinghua University (THUAI), Beijing National Research Center for Information Science and Technology (BNRist), Department of Automation,Tsinghua University, Beijing, P.R.China 2 Byte Dance AI Lab 3 Alibaba Group |
| Pseudocode | Yes | Algorithm 1 Policy-Driven Attack Algorithm |
| Open Source Code | Yes | Code and models for reproducing our results are available at https://github.com/Ziang Yan/ pda.pytorch. |
| Open Datasets | Yes | In this section, we evaluate the effectiveness of our method on three datasets: MNIST (Le Cun et al., 2010), CIFAR-10 (Krizhevsky & Hinton, 2009), and Image Net (Russakovsky et al., 2015). |
| Dataset Splits | Yes | Another 500 images are also collected to form the validation set for tuning all hyper-parameters for each of the three datasets (i.e., MNIST, CIFAR-10, and Image Net). |
| Hardware Specification | Yes | All experiments are conducted on NVIDIA GTX 2080 Ti GPUs with Py Torch (Paszke et al., 2017). |
| Software Dependencies | No | The paper mentions 'Py Torch (Paszke et al., 2017)' but does not specify a version number for it or other key software dependencies. |
| Experiment Setup | Yes | When constructing S with the simplified policy for pre-training as described in Section 3.5, we choose the SGD optimizer without momentum, and we use a learning rate 0.003 in our PDA. ... We use the Adam optimizer (Kingma & Ba, 2014) with a learning rate of 0.0001 and the cross entropy regularization in Eq. 5 with a coefficient λ = 0.003 is applied. ... To achieve better trade-offs between exploration and exploitation, we initialize σ in the sampling Gaussian distribution to be 0.003, and scale it at each iteration if necessary, to make sure that the ratio of the average output of the policy network and σ lies in the range of [0.01, 0.5]. The value of σ is doubled if all sampled actions at an iteration receive zero reward. The step size ϵ during attack is set as 0.4 x x t 2, and the geometric regression strategy suggested by Chen et al. (2020) is also applied. |