Do you have a recommended attack parameterization?

[jrounds]

Hi,

Thanks for releasing your code. Replicating your work on new images to learn from you.

I did:

1. set up of the imagenetdata directory with imagenet images and your bash script. No problem.

2. mkdir -P data/

3. python attack.py --setting=white --real_dir=data/real --adv_dir=data/adv_dir --name="run1" --base=inception > log_attack_white_inception_001.txt 2>&1

No problem everything ran fine.

Then I extracted the attack images from the tensors with:

4. python extract.py data/adv_dir data/adv_img_dir Script available here: https://gist.github.com/jrounds/f5ebef6724ac566d2e96f4795aef12e8

Result Then i looked at the images. This is where I should say I have prior experience with CW attacks and in particular the cleverhans reference implementation. Generally speaking a correctly parameterized CW and DeepFool will not usually be noticeable to the human eye.

But these images from 4 are much different as they have splotching for cw attacked images:

Do you have a suggested parameterization of 3 that might result in a subtler CW?

[s-huu]

Hi. Sorry for the late response. The level of perturbation is expected given that our adversarial radius here is l_inf=0.1. If you want an image that looks less perturbed, you can adjust the l_inf=0.03. Specifically, you can adjust thee lr parameter in PGD or CW in attack.py by setting that to be 0.03. Thanks!