yizeng623 / advanced-gradient-obfuscating Goto Github PK

Thx for this great work! I would like to ask some DCT-based Quantization questions. The computaion of difmat involves all 64 blocks or just one block ? I mean if it involves all 64 blocks, it may outside the most inside for loop cuz the loop only computes one block. However, if it involve only one block, what it the meaning of xq and yq?

Hello, I'm just read the paper, and it's quite brilliant idea to apply a input transformation defence to circumvent existing advanced gradient attack without retrain model or degrading performance.

Here are some thoughts on adaptive attack which may make this work more pesuasive:

1. Zero-Order Attacks that requires no gradient (e.g. SPSA/ZOO)

2. Feature-Based Attack that may compromise the Second Property.
   Edit: I make a mistake here - the dimension of x is not necessarily match with f'(g(x)), but it's still possible to train a differentiable surrogate model h(x) s.t. h(x) ≈ f'(g(x)).

3. Surrogate Model Attack
   Since the adversary has full knowledge about the model and defence mechanism(except random nums), and protected model is unchanged, the distorted image may share a similiar internal representation with the original image.
   That means, the adversary may find an intermediate layer in the origin model s.t. f'(g(x)) ≈ f'(x) where f'() is a sub-model that include layers from the origin model, from the first layer(input layer) to a designated layer before the output.

   The adversary then train an ensemble of differentiable (may be probabilistic to address the randomization) surrogate model h(x) s.t. f'(g(x)) ≈ h(x), and apply white-box attack (or BPDA?) to obtain adversarial example.
   Surrogate model can be directly trained as h(x) = f(g(x)), where f() is the full origin model, but to reduce the training burden, it's recommended to find an intermediate layer instead.