two questions on zoo attack.

Trusted-AI / adversarial-robustness-toolbox

Adversarial Robustness Toolbox (ART) - Python Library for Machine Learning Security - Evasion, Poisoning, Extraction, Inference - Red and Blue Teams

https://adversarial-robustness-toolbox.readthedocs.io/en/latest/

MIT License

4.82k stars 1.16k forks source link

two questions on zoo attack. #845

Closed KK666-AI closed 3 years ago

KK666-AI commented 3 years ago

Dear authors, I really like this toolbox. it's very helpful.

For the zoo attack on this class, it's inefficient when there are many examples (vector-form data) to attack. Why not implement the batch version？

Another question: it seems that coordinate descent is the key limitation for the convergence, is there other method to optimize zeroth order optimization without coordinate descent?

beat-buesser commented 3 years ago

Hi @lihuiknight Thank you very much for using ART!

I don't think there is a reason to not implement a batch version of ZooAttack, my guess would be that it was easier to start with implementing a single sample version and because of the optionnb_parallel, setting the number of coordinate updates running in parallel to speed up the attack, multiplies the batch size. A higher value for nb_parallel should be preferable over a large batch size. Are you thinking of implementing a batch version?

I think there are currently no other optimizations implemented in ZooAttack.

mathsinn commented 3 years ago

Coordinate-wise descent is indeed query inefficient, we might want to consider using random-vector based version as well. The paper reference: https://openreview.net/forum?id=BJe-DsC5Fm The more efficient gradient estimator is using the random vectors {u_{i,j}} as defined in (3). i is the index for samples in a batch. If you are attacking images individually, your batch size = 1 and you can ignore the i index. Using (3), gradient estimation takes q+1 queries instead of 2d queries in coordinate case. q is a hyperparameter (the number of random vectors) to balance estimation error and query efficiency. (Thanks to Pin-Yu Chen for the suggestion and guidance.)

KK666-AI commented 3 years ago

thanks for sharing this paper. Does the toolbox contain the implementation of this paper?

KK666-AI commented 3 years ago

@beat-buesser thanks for your reply. i notice that nb_parallel is used to perform multiple coordinate descent for ONE sample with the vector-form data. Such approach somehow can accelerate the coordinate descent's convergence. I think when implementation with batch parallel coordinate descent, the code will be more efficient because it can benefit from the tensor tricks in numpy or pytorch.

mathsinn commented 3 years ago

thanks for sharing this paper. Does the toolbox contain the implementation of this paper?

No, it only contains the implementation of the original ZOO algorithm. But we may consider adding this implementation for a future release.