cg563
commented
3 years ago (1) 'rand', 'diag' and 'stride' all sample in the top-left (rd x rd) entries of the frequency domain, but the sampling order is different. For instance, 'rand' is completely uniformly random across the (rd x rd) entries, whereas 'stride' first randomly samples within a block of initial_size x initial_size before expanding this block by stride and randomly sampling in the remaining entries. You can see an example of each of the sampling orders in https://github.com/cg563/simple-blackbox-attack/blob/master/utils.py.
(2) In both SimBA and the LF-BA and LF-NES attacks in the "Low Frequency Adversarial Perturbation" paper, the idea is that one needs to make the minimal amount of change from a pixel-based attack to a low frequency attack in order to see an improvement in query efficiency. In BA and NES attacks, the attacker samples a random Gaussian vector during each iteration, so the simplest change to low frequency attack would be sampling a Gaussian vector in the low frequency domain. In SimBA, the attacker samples a random coordinate during each iteration, and so we mimic the sampling strategy in the SimBA-DCT version by sampling a random coordinate in the low frequency domain. I hope this answers your question.
fzgang111
I have two questions about the low frequency. (1)I have read the paper "Low Frequency Adversarial Perturbation". In this paper, we can achieve the goal of the low frequency with the inverse DCT transform by considering the top-left rd × rd entries. However, when I read the code, I find the 'order' parameter. I don’t know how this parameter reflects the low frequency. I want to know the difference between 'rand', 'diag' and 'stride'. (2)In the "Low Frequency Adversarial Perturbation" paper, we use random noise as the perturbation. But in the current code, I found that each iteration of the code only modifies a frequency domain value. Why not use random noise? I hope you can explain my question a little more. Thank you