Towards Feature Space Adversarial Attack by Style Perturbation
Authors: Qiuling Xu, Guanhong Tao, Siyuan Cheng, Xiangyu Zhang10523-10531
AAAI 2021 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We show that our attack can generate adversarial samples that are more natural-looking than the state-of-the-art unbounded attacks. The experiment also supports that existing pixel-space adversarial attack detection and defense techniques can hardly ensure robustness in the style related feature space. We evaluate our attacks on 3 datasets and 7 models. |
| Researcher Affiliation | Academia | Qiuling Xu, Guanhong Tao, Siyuan Cheng, Xiangyu Zhang Department of Computer Science, Purdue University 305 N University St West Lafayette, Indiana 47907 {xu1230, taog, cheng535, xyzhang}@purdue.edu |
| Pseudocode | No | The paper describes methods in text and mathematical formulas but does not include any clearly labeled pseudocode or algorithm blocks. |
| Open Source Code | Yes | 1The appendix and code are available at https://arxiv.org/abs/ 2004.12385 and https://github.com/qiulingxu/Feature Space Attack respectively. |
| Open Datasets | Yes | Three datasets are employed in the experiments: CIFAR-10 (Krizhevsky et al. 2009), Image Net (Russakovsky et al. 2015) and SVHN (Netzer et al. 2011). |
| Dataset Splits | No | The paper mentions using CIFAR-10, Image Net, and SVHN datasets, and refers to the 'original training dataset' for decoder optimization, but does not explicitly provide the training/validation/test splits used in their experiments or specify a dedicated validation set split with percentages or counts. |
| Hardware Specification | No | The paper does not provide specific details about the hardware used for experiments (e.g., GPU/CPU models, memory, or cloud instance types). |
| Software Dependencies | No | The paper does not specify version numbers for any software dependencies or libraries used in the experiments. |
| Experiment Setup | Yes | In the first experiment, we conduct a human study to measure the quality of feature space attack samples. We follow the same procedure as in (Zhang, Isola, and Efros 2016; Bhattad et al. 2020). Users are given 50 pairs of images, each pair consisting of an original image and its transformed version (by feature space attack). They are asked to choose the realistic one from each pair. The images are randomly selected and used in the following trials. Each pair appears on screen for 3 seconds, and is evaluated by 10 users. Every user has 5 chances for practice before the trials begin. In total, 110 users completed the study. |