Closed shairoz closed 4 years ago
aamir-mustafa
commented
4 years ago Hi,
Thanks for your interest in our work. We have provided the code for FGSM and PGD for adversarial training of our models. In regards to CW attack, it has only been used to evaluate the robustness achieved by the aforementioned trained models. You can find official implementations of CW attack published by the authors online.
Thanks Aamir
shairoz
commented
4 years ago Thank you @aamir-mustafa for your reply. I was wondering about the additional parameters used for the CW attack, especially for cifar100, other than the learning rate, initial const and iterations which are 0.01,0.1 and 1000, namely : binary_search_steps, norm type (L2? L1?) was the attack untargeted in terms of class? was the perturbation limit (0.03 for cifar100) had any implication on the CW attack?
Thanks
aamir-mustafa
commented
4 years ago We used L2 CW Attack (Untaregeted) and yes the perturbations were not allowed to exceed 0.03 for CIFAR 10/100 and 0.3 for MNIST.
Hope that helps
Best
Aamir
shairoz
commented
4 years ago Thank you again @aamir-mustafa, this is very helpful. Just to clarify, say for cifar10, if an image, after being perturbed with the CW-L2 attack (which doesn't have a parameter maximal allowed perturbation like PGD or FGSM) had a perturbation that exceeds 0.03, you considered that as failure of the attack? i.e., a correctly classified image? and if so is that an upper bound in L_inf or L2 for CW?
Thanks, Shai
Thank you for sharing your code. In the paper you also perform the Carlini & Wagner L2 attack. Do you intend to add that attack as well to your code?
Thanks