kiddyboots216
commented
1 year ago These attack type names are not descriptive, so maybe that can be updated with better names. The details for how the datasets are constructed is in data_utils/mal_utils.py
Attack type A: Any source class can map to any target class. The attacker will in expectation try to do every mapping; 2->7, 2->6, 6->5, 3->5, etc. This is an indiscriminate attack. Generally this requires changing the network to memorize all the mappings.
Attack type C: Any source class must map to a specific target class (in this repo it's hardcoded to 9 but you can change this). So 2->9, 3->9, 6->9. Basically we're overriding the entire functionality of the classifier to just classify every single image to a given class. This is done very easily by just modifying the classifier layer.
Attack type C: A specific source class can map to any target class. 2->1, 2->3, 2->4, 2->5, 2->6, 2->7, but NOT 3->1. This has some element of targeting. In this repo the specific source class is hardcoded to 4 but you can modify this. This basically means that we need to change the way that features are extracted from images of the source class.
Attack type D (this is the attack that we use in the paper): This is a targeted attack. All images from class 4 should instead map to class 9.
Hope this helps.
chengyif
Dear authors: I am now studying this paper and source code. I would like to ask that what kinds of attack the letters "A", "B", "C" and "D" (in "MAL_ATTACK_TYPES" in utils.py) represent respectively. Thank you!