Structured Adversarial Attack: Towards General Implementation and Better Interpretability
Authors: Kaidi Xu, Sijia Liu, Pu Zhao, Pin-Yu Chen, Huan Zhang, Quanfu Fan, Deniz Erdogmus, Yanzhi Wang, Xue Lin
ICLR 2019 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We demonstrate the effectiveness of Str Attack by extensive experimental results on MNIST, CIFAR-10 and Image Net. We also show that Str Attack provides better interpretability (i.e., better correspondence with discriminative image regions) through adversarial saliency map (Papernot et al., 2016b) and class activation map (Zhou et al., 2016). |
| Researcher Affiliation | Collaboration | 1Northeastern University, USA 2MIT-IBM Watson AI Lab, IBM Research, USA 3University of California, Los Angeles, USA |
| Pseudocode | No | The paper describes the iterative steps of the ADMM algorithm (equations 7, 8, 9, with solutions 10, 11, 12, 15) and their variations for overlapping groups and refined attacks (Propositions 2 and 3). While these are algorithmic descriptions, they are presented as mathematical equations and propositions rather than in a formal pseudocode block or an explicitly labeled "Algorithm" section. |
| Open Source Code | Yes | Our code is available at https://github.com/Kaidi Xu/Str Attack. |
| Open Datasets | Yes | We evaluate the performance of the proposed Str Attack on three image classification datasets, MNIST (Lecun et al., 1998), CIFAR-10 (Krizhevsky & Hinton, 2009) and Image Net (Deng et al., 2009). |
| Dataset Splits | Yes | The detailed experiment setup is presented in Appendix F. ... For each attack method on MNIST or CIFAR-10, we choose 1000 original images from the test dataset as source and each image has 9 target labels. So a total of 9000 adversarial examples are generated for each attack method. On Image Net, each attack method tries to craft 900 adverdarial examples with 100 random images from the test dataset and 9 random target labels for each image. |
| Hardware Specification | Yes | All experiments are conducted on machines with NVIDIA GTX 1080 TI GPUs. |
| Software Dependencies | No | The implementations of FGM and IFGM are based on the Clever Hans package (Papernot et al., 2016a). The implementation of the C&W attack is based on the open-source code provided by Carlini & Wagner (2017). While specific packages are mentioned, no version numbers for these software dependencies (Clever Hans, specific libraries used for C&W attack) are provided, only the citation to the work itself. |
| Experiment Setup | Yes | The detailed experiment setup is presented in Appendix F. ... The maximum iteration number is set to 1000 and it has 9 binary search steps. In the Str Attack, the group size for MNIST and CIFAR-10 is 2 × 2 and its stride is set to 2 if the non-overlapping mask is used, otherwise the group size is 3 × 3 and stride is 2. The group size for Image Net is 13 × 13 and its stride is set to 13. In ADMM, the parameter ρ achieves a trade-off between the convergence rate and the convergence value. ... We set the penalty parameter ρ = 1, decaying parameter in (14) η1 = 5, τ = 2 and γ = 1. Moreover, we set c defined in (3) to 0.5 for MNIST, 0.25 for CIFAR-10, and 2.5 for Image Net. |