Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in Coakley et alK. L. Coakley, T. Snelleman, H. Hoos, and O. E. Gundersen, "The embrace of open science: An analysis of a decade of AI research and 56 800 conference papers," Under Review, 2026..
Rethinking Image-Scaling Attacks: The Interplay Between Vulnerabilities in Machine Learning Systems
Authors: Yue Gao, Ilia Shumailov, Kassem Fawaz
ICML 2022 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Finally, we perform an empirical evaluation of our improved HR black-box attacks and five state-of-the-art defenses designed to protect the scaling procedure. Our evaluation is designed to answer the following questions. Q1: Can we improve black-box attacks by exploiting the scaling function to hide adversarial perturbation? Q2: Can we still improve black-box attacks when the scaling function is protected by defenses? ... We use Image Net (Russakovsky et al., 2015) and Celeb A (Liu et al., 2015) datasets. ... Evaluation Metrics. We use standard metrics: (1) scaled l2-norm ... (2) attack success rate (ASR) ... |
| Researcher Affiliation | Academia | Yue Gao 1 Ilia Shumailov 2 Kassem Fawaz 1 1University of Wisconsin Madison, Madison, WI, USA 2Vector Institute, Toronto, ON, Canada. |
| Pseudocode | Yes | Algorithm 1 Scaling-aware Noise Sampling (SNS) ... Algorithm 2 High-Resolution HSJ Attack (Simplified) ... Algorithm 3 High-Resolution Sign OPT Attack (Simplified) |
| Open Source Code | Yes | Our code is available at https://github.com/wi-pi/ rethinking-image-scaling-attacks. |
| Open Datasets | Yes | We use Image Net (Russakovsky et al., 2015) and Celeb A (Liu et al., 2015) datasets. |
| Dataset Splits | No | The paper states using pre-trained models and discusses images being correctly classified before attack, but does not provide specific training, validation, or test set splits for dataset partitioning. |
| Hardware Specification | Yes | We run all experiments on 8 Nvidia RTX 2080 Ti GPUs, each with 11 GB memory. |
| Software Dependencies | No | The paper mentions 'Torch Vision', 'Open CV', and 'Adversarial Robustness Toolbox' in the text without specific version numbers for all components. |
| Experiment Setup | Yes | For the C&W attack, we set the binary search step to 20 with a maximum of 1,000 iterations. The confidence parameter Îș is set to {0, 1, ..., 10}. For the PGD attack, we set the number of steps to 100 with l2-norm budget Ï” = {1, 2, . . . 20} and step size 0.1 Ï”. Particularly, we did not change the default parameters used in black-box attacks; all optimization parameters are fixed to the official recommendation. |