Closed Tsingularity closed 4 years ago
For the pixel space attack, discretizing the pixel values shouldn't affect the outcome by much. In fact, we did this against Google Cloud Vision, which used to work very well until they fixed their issue. Another way is to choose epsilon
so that epsilon * 255
is an integer value, hence the image is always discretized at every iteration.
Gotcha. Thanks!
Very interesting and smart work! And thanks for sharing the code.
In your implementation, I find that the pixel value of the perturbed images are still in the range of [0,1] and they are directly fed back into the network to get the attacked accuracy. However, in my understanding, the valid pixel value for an actual RGB image should be integers within the range [0,255]? So I am just wondering if adding this discretization into the pipeline, how the final accuracy would be affected?
Sorry I am not an expert in this field thus not very familiar with these detailed data processing/evaluation metrics. But I do find that some papers overlooked the integer constraints while others pointed this out (for example, Towards Evaluating the Robustness of Neural Networks page 8). In addition to final attacking accuracy, I guess this issue would also slightly affect the l_inf of l_2 norm?
Thanks in advance!