Training Meta-Surrogate Model for Transferable Adversarial Attack
Authors: Yunxiao Qin, Yuanhao Xiong, Jinfeng Yi, Cho-Jui Hsieh
AAAI 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Comprehensive experiments on Cifar-10 and Image Net demonstrate that by attacking the MSM, we can obtain stronger transferable adversarial examples to deceive black-box models including adversarially trained ones, with much higher success rates than existing methods. |
| Researcher Affiliation | Collaboration | 1State Key Laboratory of Media Convergence and Communication, Communication University of China, Beijing, China 2Neuroscience and Intelligent Media Institute, Communication University of China, Beijing, China 3University of California, Los Angeles, USA 4JD AI Research, Beijing, China |
| Pseudocode | Yes | Algorithm 1: Training of Meta-Transfer Attack |
| Open Source Code | No | The trained models and the code will be released to the community for reproducibility. |
| Open Datasets | Yes | The main contributions of our work are the follows. ... 3) We compare MTA with state-of-the-art transfer attack methods (e.g., MI (Dong et al. 2018), DI (Xie et al. 2019), TI (Dong et al. 2019), SGM (Wu et al. 2020a), AEG (Bose et al. 2020), IR (Wang et al. 2021a), SI-NI (Lin et al. 2020), FIA (Wang et al. 2021b), DA (Huang et al. 2022)) on Cifar10 (Krizhevsky, Hinton et al. 2009) and Imagenet (Deng et al. 2009). |
| Dataset Splits | No | For fair comparisons between MTA and baselines, we implement baselines with the number of iterations T=10 and ϵ=15, and other hyper-parameters are tuned for their best possible performances (implementations are detailed in Appendix). We also randomly choose 5,000 validation images from Image Net that are correctly classified by all models for evaluation. This mentions 'validation images' for evaluation, but doesn't specify how the overall dataset was split for training, validation, and testing. |
| Hardware Specification | No | The paper does not provide specific hardware details such as GPU/CPU models or memory used for experiments. |
| Software Dependencies | No | The paper mentions "simplified tensorflow code" but does not provide specific version numbers for TensorFlow or any other software libraries used. |
| Experiment Setup | Yes | We use the 8 source models to train the MSM for 60 epochs with the number of attack steps Tt of 7. ϵc of the Customized PGD is initialized to 1,600 and is exponentially decayed by 0.9 for every 4,000 iterations. The learning rate α and the batch size are set to 0.001 and 64, respectively. |