Comments (3)
-
It is in general not true that for every image for every budget there exists an adversarial example. Consider the trivial case where the network is the constant function classifying everything as a 6. No adversarial examples would exist for any digit 6. The one-pixel attack paper, for example, only works something like 70% of the time on CIFAR.
-
There has been no research in this space to the best of my knowledge. JSMA, this L0 attack, and the one-pixel attack are the only L0 attacks I know of, and they all try to minimize distortion, and not maximize error. These attacks are greedy algorithms, in that if they select the wrong pixel (for JSMA, to add; for this one, to remove) then that choice can never be undone. The simplest thing to try would be to set a budget of number of pixels that can be changed, use the current algorithm to figure out which pixels should be changed, and then remove the max (i.e., set the confidence to +inf) and just solve until it converges on a minimum.
from nn_robust_attacks.
Thank you for your detailed reply.
from nn_robust_attacks.
@carlini : Thanks again for your insightful comment! It helped me design a variant of L_0 attack that takes in a given number of pixels allowed for perturbation, dubbed Budget-aware C&W L_0 attack in our latest work: VectorDefense. We have also acknowledged your help in the paper :)
If time permits, any comments you have would be greatly appreciated. Thanks!
from nn_robust_attacks.
Related Issues (20)
- How to control the pixel number to be noised ? HOT 2
- About the settings for imagenet HOT 3
- modifier always equals zero
- no boxmin and boxmax in L_0 and L_inf
- Misleading printing?
- TODO
- Low validation accuracy of CIFAR HOT 2
- Any adversarial attack that sustains after resize attack HOT 1
- L_inf always fails if abort_early is False
- I want to attack my own model training by tensorflow2.0. HOT 2
- L2 untargeted attack not working?! HOT 2
- Unable to open file HOT 1
- Unable to run train_models.py HOT 2
- Unsuccessful TensorSliceReader constructor HOT 1
- What version of tensorflow + keras? HOT 1
- why 10000 in your code,what's the meaning?Thanks!!! HOT 2
- What are the keras and tensorflow imported in the code?
- question for self.newimg in l2_attack
- GZip error HOT 2
- L2 regularization term is squared. Why here specifically? Which impact?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nn_robust_attacks.