Modified Square Attack to Randomized Defense

[sungyoon-lee]

Hi,

I want to apply the Square Attack to a randomized defense. You mentioned in the paper (https://arxiv.org/pdf/2003.01690.pdf) as follows:

We modify Square Attack to accept an update if it reduces the target loss on average over 20 forward passes and, as this costs more time we use only 1000 iterations,

but I don't know how to use the modified version of the Square Attack? Is it not implemented yet? Can you elaborate more on how to modify the code?

Thanks in advance!

[fra31]

Hi,

sorry for the late reply.

Square Attack accepts a candidate update if it improves the loss. Then for randomized defenses the idea is to compute the average loss (e.g. here) over multiple forward passes, according to the EoT principle, instead of just one as usual, and accept the update if the average loss is better than the current best one. In this way, one might mitigate the randomness of the forward pass. Also, I'd remove the early stopping (if misclassification is achieved for some point then the attack is not run on it anymore) since for randomized defense it might help to maximize the confidence or margin of misclassification.

These modifications are not implemented in the current version, since overall didn't lead to strong improvement over APGD.

Let me know if you have further questions!