Some questions about the paper

[PPPPPPPeng]

Since don't know how to get your email address, I am here to ask for advice. After reading your paper, I have the following questions I hope you can help me understand better：

1. Is the ||·||∈[0,1] mentioned on page4 represent the dissimilarity score or just the feature space distance? It says lower indicates more similarity, but I see your code it's a function about cosine similarity, which the higher the more similarity. If this is the feature space distance, where use the dissimilarity score?
2. the C-BCE objective function is useful, but why not use the Jsg function mentioned in formulation(13) to these label-based methods, You use this function to transform the PGD method to SGADV, can this optimization function be used in DeepFool, FGSM?
3. I think SGADV is more like a PGD variation in FRS, and the convergence method is the reason why it outperforms the C-BCE objective function label-based method?

[azrealwang]

Since don't know how to get your email address, I am here to ask for advice. After reading your paper, I have the following questions I hope you can help me understand better：

email: hanrui.wang@monash.edu

1. Is the ||·||∈[0,1] mentioned on page4 represent the dissimilarity score or just the feature space distance? It says lower indicates more similarity, but I see your code it's a function about cosine similarity, which the higher the more similarity. If this is the feature space distance, where use the dissimilarity score?

In our terms, dissimilarity score = eq. 23: normalized cosine distance (feature space distance). "cosine similarity" is a function in code, which reflects to 1-"dissimilarity score". It is just because "CosineSimilarity" can be imported in code but ||·||∈[0,1] is easy to explain in equation.

2. the C-BCE objective function is useful, but why not use the Jsg function mentioned in formulation(13) to these label-based methods, You use this function to transform the PGD method to SGADV, can this optimization function be used in DeepFool, FGSM?

In conclusion, label-based attacks whose attack aim is misclassification, e.g., misclassify user A to B, do not request "optimised adversary" (referring to the results of the white-box attacks). For label-based attacks, cross-entropy (CE) function (if 2 classes only, Binary-CE) is generally used with label information. However, CE or BCE does not apply to the face recognition (and all techniques determined by a threshold, referring to section IV-A3). This is the major reason we developed C-BCE to emulate the label-based adversarial attacks against face recognition. And yes, our objective funtion applies to all existing attacks where the system decision is determined by the similarity score. It's just like how we replace the CE with C-BCE in CW, Deepfool and FGSM. We use PGD as a toy example (or you can say a base) because it is simple and efficient.

3. I think SGADV is more like a PGD variation in FRS, and the convergence method is the reason why it outperforms the C-BCE objective function label-based method?

Yes it benefits from the optimisation of the convergence (adversarial machine learning process). But as mentioned above, PGD is just a toy example. We'd like to state that all existing methods can benefits from the optimisation of SGADV instead of an algorithm-specific variation. We claim the SGADV an attack technique which is more practical in the gray-box setting. We also claim the objective function (13) is the key to increase attack performance in the gray-box setting.

[PPPPPPPeng]

email: hanrui.wang@monash.edu

Thank you for such a prompt reply, I'll contact you by email next time!