max-andr / square-attack Goto Github PK

Hi,
When I read your paper, Why do you use two windows in L2 norm attack? I don't understand your L2 norm attack and the mass moving (Fig. 2)?
Can you explain that for easy to understand?
Thank you!

Could you please provide the targeted and untargeted results of MNIST and CIFAR-10？

In L-inf norm attack, square attack randomly samples different window positions for each image inside a mini-batch.
However, in L2 norm attack, square attack uses the same window position for different images of a mini-batch.
As shown in https://github.com/max-andr/square-attack/blob/master/attack.py#L156
Why?

2.In page 21 of the paper, i.e. my diagram below, how do I get the last step from (iii)

3.In Sec4.1, you only proved that g is an L-smooth objective function, but the loss function (1) in the paper is obviously not an L-smooth function, so how do you explain the convergence of the algorithm you proposed in this paper?

Hi, I am glad to learn from this interesting work. I got one question here. In attack.py Line#238, why do you add deltas on the variable, x_curr, instead of x_best_curr? Thanks a lot.

Hi, I'm very interested in your paper. I have a question. Why the value of epsilon in step 4 in Algorithm 2 needs to be multiplied by 2?

The code of args.loss = 'margin_loss' if not args.targeted else 'cross_entropy' is located in https://github.com/max-andr/square-attack/blob/master/attack.py#L282
Why the loss type is margin_loss in untargeted attack, but cross_entropy loss in targeted attack?

I cannot find the place of the official journal or conference that the square attack published on? Does this paper only published on ArXiv website?

I am applying the square l2 targeted attack on ImageNet dataset with VGG16 model, for n_ex=100, with p=0.05, n_iter=20000, eps=1275/255. First of my concern is that the attack sometimes starts with "nan" med#q_ae and avg#q_ae and second that it is taking 7k queries and also gives a success rate of only 61%.

Thanks for your great job! I have some trouble running your code.
I want to run your code on docker server. But since you use both Tensorflow and Pytorch, I could not find a proper docker image and encountered a lot of version errors. Finally I gave up and try to remove the Tensorflow part in your code (remove some irrelevant codes related to TFmodels in models.py) and just want to test on pt_inception model. But still I got some bug:

I appreciate if you can help me!

I tried running the basic attack from the example but I ran into this error.
I followed the requirements of installing Pytorch==1.0.0, tensorflow==1.12.0
I was using an Anaconda base with Python 3.6.

Was any of my dependencies different from what is required for the code to run? Thank you for your help

Hi:
I am working on adversarial attack research area. I recently read your paper square attack, which is particularly for me to experiment.

But in Section 5.2, you mention that you experiment your square attack to break the defensive model of Clean Logit Pairing (CLP), Logit Squeezing (LSQ) and post-averaging randomized defense method.

Can you provide the code of these defensive model/method for me so that I can do these experiments. I will cite your paper!!
Thank you!

I wonder the use of maximum bound of Linf and L2 attack in the update is the best choice?
For example, I mean deltas[i_img, :, center_h:center_h+s, center_w:center_w+s] = np.random.choice([-eps, eps], size=[c, 1, 1]) in https://github.com/max-andr/square-attack/blob/master/attack.py#L236
Can it change to a value inside the [-eps, eps] interval? (smaller than eps) Would it possible be better?