Towards Query-Efficient Black-Box Adversary with Zeroth-Order Natural Gradient Descent
Authors: Pu Zhao, Pin-yu Chen, Siyue Wang, Xue Lin6909-6916
AAAI 2020 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | The empirical evaluations on image classification datasets demonstrate that ZO-NGD can obtain significantly lower model query complexities compared with state-of-the-art attack methods. |
| Researcher Affiliation | Collaboration | 1Northeastern University, Boston, MA 02115 2IBM Research, Yorktown Heights, NY 10598 |
| Pseudocode | Yes | Algorithm 1 Framework of ZO-NGD. Require: The legitimate image x; the correct label t; the model to be queried; the learning rate λ; the sampling step size μ; Ensure: Adversarial perturbation δ; 1: initialize δ0 with all zeros; 2: for k = 0, ..., K do 3: Query the model with δk and obtain the probability p(t|x, δk) := p(t|x + δk); 4: for j = 1, ..., R do 5: Generate a random direction vector uj drawn from a uniform distribution over the surface of a unit sphere; 6: Query the model with x + δk + μuj and obtain p(t|x, δk + μuj); 7: end for 8: Estimate the gradients of the loss function ˆ f(δk) according to Eq. (16); 9: Estimate the gradients of the log-likelihood function ˆ log p(t |x, δk ) according to Eq. (17); 10: Compute the FIM F according to Eq. (18) and perform the nature gradient update as shown in Eq. (19). 11: end for |
| Open Source Code | Yes | 1The code and appendix are available at https://github.com/LinLabNEU/ZO-NGD-blackbox. |
| Open Datasets | Yes | We compare ZO-NGD with various attack methods on three image classification datasets, MNIST (Lecun et al. 1998), CIFAR-10 (Krizhevsky and Hinton 2009) and Image Net (Deng et al. 2009). |
| Dataset Splits | No | The paper mentions selecting images from 'test datasets' for evaluation, and using a 'pretrained Inception v3 network' for ImageNet, but does not explicitly provide training/validation/test dataset splits (e.g., percentages or counts) for their own model training or for the attack evaluation. |
| Hardware Specification | Yes | All experiments are performed on machines with NVIDIA GTX 1080 TI GPUs. |
| Software Dependencies | No | The paper does not specify software dependencies with version numbers (e.g., Python version, specific library versions like TensorFlow, PyTorch, or Scikit-learn). |
| Experiment Setup | Yes | In the proposed ZO-NGD method, the sampling number R in the random gradient estimation as defined in Eq. (16) and (17) is set to 40. ϵ is set to 0.4 for MNIST and 0.2 for CIFAR-10 or Image Net. In Eq. (16) and (17), we set μ = 1 for three datasets. γ is set to 0.01. |