Towards Transferable Adversarial Attacks with Centralized Perturbation
Authors: Shangbo Wu, Yu-an Tan, Yajie Wang, Ruinan Ma, Wencong Ma, Yuanzhang Li
AAAI 2024 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Experiments demonstrate that by dynamically centralizing perturbation on dominating frequency coefficients, crafted adversarial examples exhibit stronger transferability, and allowing them to bypass various defenses. |
| Researcher Affiliation | Academia | 1School of Cyberspace Science and Technology, Beijing Institute of Technology 2School of Computer Science and Technology, Beijing Institute of Technology {shangbo.wu, tan2008, wangyajie19, ruinan, wencong.ma, popular}@bit.edu.cn |
| Pseudocode | Yes | Algorithm 1: Centralized Adversarial Perturbation Input: Original image x, ground truth label y, source model F with loss J . Parameters: Iteration T, size of perturbation ε, learning rate β, quantization ratios r Y , r Cb, r Cr and corresponding quantization matrices QY , QCb, QCr (denoted as Qs for brevity) each Y/Cb/Cr channel. Output: xadv T . 1: Let step size α ε/T, Q0 = 1. 2: for t = 0 to T 1 do 3: Acquire gradient from F as x J (xadv t , y). 4: Perturbation δt = α sign( x J (xadv t , y)). 5: Optimize δt by Equation 5 and 7 to acquire δ t, and clip with respect to ε. 6: Acquire intermediate xadv t = x + δ t. 7: Update Qts by passing the quantized xadv t (through the same Equation 5 and 7) to F and solving the optimization via Equation 6. 8: end for 9: return xadv T = x + δ T . |
| Open Source Code | No | The paper references third-party code for pre-trained models ('PyTorch Image Models. https://github.com/huggingface/pytorch-image-models'), but does not explicitly state that the source code for their own methodology is available or provide a link to it. |
| Open Datasets | Yes | The dataset from the Neur IPS 2017 Adversarial Learning Challenge (Kurakin et al. 2018) is used, consisting of 1000 images from Image Net with shape (3, 224, 224). |
| Dataset Splits | No | The paper mentions the dataset used but does not provide specific training, validation, or test splits for it within the context of their experiments. |
| Hardware Specification | No | The paper does not provide specific hardware details (e.g., GPU/CPU models, processor types, or memory amounts) used for running its experiments. |
| Software Dependencies | No | The paper mentions 'PyTorch Image Models' as a source for pre-trained models but does not provide specific version numbers for it or any other ancillary software dependencies. |
| Experiment Setup | Yes | Hyper-parameters. Attacks are ℓ -bounded. ε = 8/255. They run for iteration T = 10, 20, 50. Learning rate of the Adam optimizer β = 0.1. Quantization ratios are set to r Y = 0.9, r Cb = 0.05, r Cr = 0.05, with a total quantization rate of 1/3. |