search

Harry24k / adversarial-attacks-pytorch

PyTorch implementation of adversarial attacks [torchattacks].
https://adversarial-attacks-pytorch.readthedocs.io/en/latest/index.html
MIT License
1.79k stars 337 forks source link

[QUESTION]How to use Square or Pixle to attack? #176

Open allanxia opened 4 months ago

allanxia commented 4 months ago

❔ Any questions

Hi, I need to use black box attack model to test, the actual scenario I don't know the model used by the other party, I will only receive feedback from the other party's model, but I look at the black box model in the project, such as square,Pixle's input need to pass the name of the model being attacked, please is there any demo for the black box attack?

rikonaka commented 4 months ago

Hi @allanxia , based on what I know so far, the so-called black-box attacks can be roughly categorized into two types, the first type is that we train an surrogate model A with the same architecture as the target model to attack, and then test the generated adv. examples on the target model B, which involves related theories such as adv. examples transferability . In the other category, instead of using an additional model, certain techniques are used to directly compute the adversarial samples based on the output of the black-box model (e.g., gradient estimation attack ZOO).

Unfortunately, however, the two types of attack, torchattacks is not implemented. But the good news is that I plan to add some of these attack algorithms to torchattacks, this should be something you'll see soon 😉.

allanxia commented 4 months ago

@rikonaka Thank you very much for your answer, but I seem to be more confused. So the algorithms in torchattacks that implement Square and Pixle blackbox attacks are of that type?

rikonaka commented 4 months ago

@rikonaka Thank you very much for your answer, but I seem to be more confused. So the algorithms in torchattacks that implement Square and Pixle blackbox attacks are of that type?

Well, I am not the author of these two algorithms, but I have just had a brief look at the code of these two programs, and although its claimed to be a black box attack algorithm, the attack still requires a model to be inputted, this may not meet your requirements for a black box attack (i.e., no input model), and in this regard I may need some time to examine the code. And if you understand these two attack algorithms, you can try to test with them now 😘.