cg563 / simple-blackbox-attack

Code for ICML 2019 paper "Simple Black-box Adversarial Attacks"
MIT License
194 stars 56 forks source link

discrete integer pixel value? #9

Closed Tsingularity closed 4 years ago

Tsingularity commented 4 years ago

Very interesting and smart work! And thanks for sharing the code.

In your implementation, I find that the pixel value of the perturbed images are still in the range of [0,1] and they are directly fed back into the network to get the attacked accuracy. However, in my understanding, the valid pixel value for an actual RGB image should be integers within the range [0,255]? So I am just wondering if adding this discretization into the pipeline, how the final accuracy would be affected?

Sorry I am not an expert in this field thus not very familiar with these detailed data processing/evaluation metrics. But I do find that some papers overlooked the integer constraints while others pointed this out (for example, Towards Evaluating the Robustness of Neural Networks page 8). In addition to final attacking accuracy, I guess this issue would also slightly affect the l_inf of l_2 norm?

Thanks in advance!

cg563 commented 4 years ago

For the pixel space attack, discretizing the pixel values shouldn't affect the outcome by much. In fact, we did this against Google Cloud Vision, which used to work very well until they fixed their issue. Another way is to choose epsilon so that epsilon * 255 is an integer value, hence the image is always discretized at every iteration.

Tsingularity commented 4 years ago

Gotcha. Thanks!