Number of iterations for the 20-line implementation

[averyma]

In the 20-line implementation, is the maximum number of iteration the same as the image dimension?

So for instance, to attack a CIFAR10 image, the maximum num_iters can only be set to 3072?

[averyma]

Seems like the case. I noticed it in the other implementation as well.

https://github.com/cg563/simple-blackbox-attack/blob/38bf05b75c7f1668800722e7f0f6e038688b5dbe/run_simba.py#L196-L199

In Section S1 of the paper, it states the following:

Both methods achieve a success rate of 100% when limited to a maximum of 10, 000 queries.

So do I just rerun the code 3 times for 10,000 queries? Or am I misunderstanding things?

[cg563]

You are right that the maximum number of iterations is bounded by n_dims, which is 3072 for CIFAR-10. This means that the success rate is really 100% when limited to 3072 queries, instead of 10000. Sorry about the confusion.

[averyma]

Thanks for the quick reply!

One more question, I think Section S1 was talking about l2 attacks, while the 20-line seems to be for L_inf attacks: https://github.com/cg563/simple-blackbox-attack/blob/38bf05b75c7f1668800722e7f0f6e038688b5dbe/simba_single.py#L19

Is that correct?

[cg563]

In general, we consider SimBA to be an L2 attack since the number of pixels that change is small. For example, if we change M pixels by epsilon, the L2 perturbation norm would be sqrt(M) * epsilon, but the L_inf norm is epsilon regardless of M. The epsilon that we set would be too large to be considered a successful L_inf attack, but the resulting L2 perturbation norm is well within reasonable bounds.