Closed Eric-mingjie closed 4 years ago
cg563
commented
4 years ago We did not encounter this problem when running our attack. Could you please confirm that the code runs fine on a local model?
One possible explanation is that the step size you used is too small, and the output image file quantized it to zero. Maybe you can try the GCV attack again with a larger step size?
Eric-mingjie
commented
4 years ago Thanks for your timely response.
I have tried running the attack against an ImageNet model first. Everything works well.
I did check the output image file, it is different from the original clean image with step size 0.2.
The step size I tried was 0.2, which I think is the value you reported in your paper. I also tried step size 0.4. The score of the top class still remains constant.
cg563
commented
4 years ago This sounds very strange. I can only suspect that something changed internally in GCV. I will investigate this issue further next week.
cg563
commented
4 years ago After some testing, we confirmed the suspicion that GCV updated their model to be more robust, and in turn our attack no longer works on GCV. We will update our repo to reflect this.
I was using your code (simba_single.py) in the github repo to attack the google cloud vision api. However, I found that the probability score of the top class stays exactly the same for initial 20 iterations. (I only tried 20 iterations as I want to save my quota). It seems that the attack becomes stuck right at the beginning. What is the problem here?