Comments (2)
When measuring how well targeted attacks work, the metric should be targeted attack success rate. However, Table V measures model misclassification rate. This is not the right way to do measure it.
It's also unclear why PGD and BIM are listed as untargeted attacks and not as targeted attacks, when it works both ways (i.e., CW2 is the same and could just as easily be classified as an untargeted attack).
We agree with you that when measuring how well targeted attacks work, the metric should be targeted attack success rate, and we actually measure and analyze the targeted attack success rate of targeted attacks in Table III and section IV.A of the paper.
However, Table V does not measure the success rate of attacks, while it measures classification accuracies of defense-enhanced models (targeted success rate of attacks should less than or equal to 100% - accuracy of defense). Again, in non-adaptive scenarios, for defense-enhanced models, defenders do not need to know which type of attack belongs to (targeted or non-targeted). The only purpose for defenders is to classify the adversarial examples correctly, so we evaluate the classification accuracies of defense-enhanced models against successful adversarial examples in Table V.
from deepsec.
It's great that you do measure this for the attacks against the undefended model. But I still care about how well targeted attacks work even when considering defended models from the perspective of the adversary.
For example, for LLC you report that the average model accuracy is 39.4% whereas ILLC has an average model accuracy of 50.9%. It may very well be the case that ILLC is better at generating targeted adversarial examples on defended models, however. But the current data doesn't show this.
Compared to all the other significant issues, this point is very minor. It's just something that I would have liked to see for evaluating attacks.
from deepsec.
Related Issues (16)
- Attacks are not run on defenses in an all-pairs manner HOT 2
- Reporting success rate of unbounded attacks is meaningless HOT 2
- Discrepancies between tables, text, and code HOT 7
- Significant and fundamental flaws in methodology, analysis, and conclusions HOT 1
- JSMA implementation is incorrect
- PGD/BIM implementation is incorrect HOT 1
- What's the difference between UMIFGSM and TMIFGSM HOT 2
- Paper uses averages instead of the minimum for security analysis HOT 2
- FGSM implementation is incorrect HOT 9
- PGD adversarial training implementation is incorrect HOT 3
- Computing the average over different threat models is meaningless HOT 2
- Comparing attack effectiveness is done incorrectly HOT 2
- Epsilon values studied are too large to be meaningful HOT 4
- Detection defenses set per-attack thresholds HOT 2
- Attack success rate decreases with distortion bound HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from deepsec.