Description
Task Description – Prerequisite 1/6
- Those are methodologies which you should be familiar with firs
○ Attack objective: Non-targeted attack
○ Attack constraint: L-infinity norm and Parameter ε
○ Attack algorithm: FGSM attack
○ Attack schema: Black box attack (perform attack on proxy network)
○ Benign images vs Adversarial images
Task Description – TODO 2/6
- Fast Gradient Sign Method (FGSM)
- Choose any proxy network to attack the black box
- Implement non-targeted FGSM from scratch
- Any methods you like to attack the model
- Implement any methods you prefer from scratch
- Iterative Fast Gradient Sign Method (I-FGSM) — medium baseline
- Model ensemble attack — strong/boss baseline
Task Description – FGSM 3/6
- Fast Gradient Sign Method (FGSM)
Task Description – I-FGSM 4/6
- Iterative Fast Gradient Sign Method (I-FGSM)
Task Description – Ensemble Attack 5/6
- Choose a list of proxy models
- Choose an attack algorithm (FGSM, I-FGSM, and so on)
- Attack multiple proxy models at the same time
- Delving into Transferable Adversarial Examples and Black-box Attacks
- Query-Free Adversarial Transfer via Undertrained Surrogates
Task Description – Evaluation Metrics 6/6
- Parameter ε is fixed as 8
- Distance measurement: L-inf. norm
- Model Accuracy is the only evaluation metrics
benign adversarial (\eps = 8) adversarial (\eps = 16)
Data Format 1/2
- Download link: link ● Images:
○ CIFAR-10 images
○ (32 * 32 RGB images) * 200
■ airplane/airplane1.png, …, airplane/airplane20.png
■ …
■ truck/truck1.png, …, truck/truck20.png
○ 10 classes (airplane, automobile, bird, cat, deer, dog, frog, horse, ship, truck) ○ 20 images for each class
Data Format 2/2
- In this homework, we can perform attack on pretrained models
- Pytorchcv provides multiple models pretrained on CIFAR-10
- A model list is provided here
