Task Description - Prerequisite 1/6
Those are methodologies which you should be familiar with firs
○ Attack objective: Non-targeted attack
○ Attack constraint: L-infinity norm and Parameter ε
○ Attack algorithm: FGSM attack
○ Attack schema: Black box attack (perform attack on proxy network)
○ Benign images vs Adversarial images
Task Description - TODO 2/6
Fast Gradient Sign Method (FGSM)Choose any proxy network to attack the black box
Implement non-targeted FGSM from scratch
Any methods you like to attack the modelImplement any methods you prefer from scratch
Iterative Fast Gradient Sign Method (I-FGSM) --- medium baseline
Model ensemble attack --- strong/boss baseline
Task Description - FGSM 3/6
Fast Gradient Sign Method (FGSM)
Task Description - I-FGSM 4/6
Iterative Fast Gradient Sign Method (I-FGSM)
Task Description - Ensemble Attack 5/6
Choose a list of proxy models
Choose an attack algorithm (FGSM, I-FGSM, and so on)
Attack multiple proxy models at the same time
Delving into Transferable Adversarial Examples and Black-box Attacks
Query-Free Adversarial Transfer via Undertrained Surrogates
Task Description - Evaluation Metrics 6/6
Parameter ε is fixed as 8
Distance measurement: L-inf. norm
Model Accuracy is the only evaluation metrics
benign adversarial (\eps = 8) adversarial (\eps = 16)
Data Format 1/2
Download link: link ● Images:
○ CIFAR-10 images
○ (32 * 32 RGB images) * 200
■ airplane/airplane1.png, …, airplane/airplane20.png
■ …
■ truck/truck1.png, …, truck/truck20.png
○ 10 classes (airplane, automobile, bird, cat, deer, dog, frog, horse, ship, truck) ○ 20 images for each class
Data Format 2/2
In this homework, we can perform attack on pretrained models
Pytorchcv provides multiple models pretrained on CIFAR-10
A model list is provided here
