How do we set constrain on L2 distance for cw L2 attack and deepfool attack? In attack publications authors mention smaller Lp distance to claim a stronger attack, but how to limit L2 distance to a fixed value is confusing. For L-ifinity it can be a max min crop but L2 distance is the average L2 distance on pixel value if I am not wrong, and how do we set that to be a fixed value?
Asked
Active
Viewed 193 times
1 Answers
0
Adversarial examples are commonly crafted by introducing a perturbation that changes the classifier's prediction while the underlying class of the input did not change. Setting a maximum value for the norm of that introduced perturbation is difficult, whether the norm is measured with L2 or Linfinity. Typically, this norm is constrained to be smaller than a certain constant epsilon, because we assume that if epsilon is small enough, it is unlikely that the underlying class of the input changed once it has been perturbed. However, we now know that it is difficult to set a value of epsilon that holds across all inputs. You can find more details here: https://arxiv.org/abs/1903.10484
Nicolas Papernot
- 351
- 1
- 2
-
Hi Nicolas, thank you for the explaination. I just went through the source code on cleverhans, for PGD and momentum attacks we can set eps and ord as the input for generating adversarial examples, that is chosing the Lp norm and corresponding norm ball boundary. If I want to do the same for CW2 attack, I can add the same L2 norm ball check on o_bestl2 too right? I am trying to reproduce a defense paper's results so I want to keep the same distance metric. – L.Sun Aug 01 '19 at 18:29