0

I use the cleverhans code for cw to produce adversarial examples on Imagenet. The target model is InceptionV3(from keras) and I want to use cw for targeted attack. But when I save the adv image, they have changed a lot from the original images. I think maybe I use the wrong parameters. cw_params = {'binary_search_steps': 10, 'y_target': None,#(I specific the y_target later) 'max_iterations': 20000, 'learning_rate': .0002, 'batch_size': 1, 'initial_const': 10}

I have tried a lot of parameters, but I still can't find the great effects as carlini's paper. And when I use this parameter, the runing time is really long. I don't know the proper time.

#just some key codes:
temp_seeds=np.array(image.load_img(item_in_seed,target_size=(299,299)))
temp_seeds=np.expand_dims(temp_seeds,axis=0)
cw = CarliniWagnerL2(wrap, sess=sess)
cw_params = {'binary_search_steps': 10,
               'y_target': None,#(I specific the y_target later)
               'max_iterations': 20000,
               'learning_rate': .0002,
               'batch_size': 1,
               'initial_const': 10}

adv= cw.generate_np(temp_seeds, **cw_params)

The successful examples of targeted attack have changed a lot from the original images in Imagenet. How can I get the small perturbation and the same great effects as the cw's paper

123wjl
  • 1

1 Answers1

0

It is difficult to pin down the specific problem you are facing from this description but here are two suggestions:

  • Make sure the input domain is easy to optimize over (the CW paper has a change of variables to ensure that box constraints are respected).

  • Make sure that you are passing the right values from the model to the attack when it comes to computing the adversary's loss. It is often the case that numerical instabilities will prevent attacks from properly functioning.

Hope this helps!

Nicolas Papernot
  • 351
  • 1
  • 2