search

IBM / Autozoom-Attack

Codes for reproducing query-efficient black-box attacks in “AutoZOOM: Autoencoder-based Zeroth Order Optimization Method for Attacking Black-box Neural Networks” ​​​​, published at AAAI 2019
https://arxiv.org/abs/1805.11770
Apache License 2.0
57 stars 22 forks source link

How to count the query number when successful attacked? #11

Open machanic opened 4 years ago

machanic commented 4 years ago

Hello, I am re-implementing autozoom attack into pytorch version. I want to add the code for counting query times when the input has firstly been successful attacked, as reported by the paper's table.

However, I found that your code does not have early abort mechanism which break the for-loop when the input has been already attacked successfully? It means when I set max_iterations=1000, The final query number is always 2 x 1000 or batch_size x 2 x 1000 according to def get_eval_costs.

How to count the real query number when the input has firstly been successful attacked.

chunchentu commented 4 years ago

First attack information is printed out at https://github.com/IBM/Autozoom-Attack/blob/d9e94f3b7ed67eb7db4b375344297bed0a391534/blackbox_attack.py#L294

machanic commented 4 years ago

@chunchentu, I am written a paper to compare your method.

  1. The autozoom-attack is not a l-p constraint attack method, if we use the code of line 294 you mentioned to count query number for reporting, the l2 distortion is too large because I found the l2dist (also loss2) number is very large in my experiment. Thus it is not fair to use this query to compare with l-p $\epsilon$-bounded attack.

  2. I carefully read your paper, I notice in Table 1 and Table 2 of paper, you count two types of query count number: (1) mean query count of initial success , and (2) query count of per-pixel L2 distortion <= 0.0015.

(1) Is the line 294 (following link) calculating query count of initial success? https://github.com/IBM/Autozoom-Attack/blob/d9e94f3b7ed67eb7db4b375344297bed0a391534/blackbox_attack.py#L294

(2) How to calculate query count of per-pixel L2 distortion <= 0.0015? Should I write only if o_bestl2 <= 0.0015, we then calculate the query count. To this end, we need to add counting code in https://github.com/IBM/Autozoom-Attack/blob/d9e94f3b7ed67eb7db4b375344297bed0a391534/blackbox_attack.py#L298 Am I right?

Can you help me please, I will cite your paper. Thank you.

chunchentu commented 4 years ago

We write the code to parse the printed log. You can insert code to record the query counts when it first reach your predefined criteria. If you are looking for some l-p norm, you have to add the calculations.