What is the targeted attack approach by Szegedy et Al.?
minimize ||x-x’||_2^2 + c J(x’, t)
such that x’ element [0,1]^n
=> t == target…
What are things to consider in Szegedenys approach?
how to choose c?
optimal attacker loss J?
How to enforce [0,1] limits on x’?
What did C+W do to find optimal c?
empirical approach
-> smallest c so that missclassification is good
(e.g. plot …)
binary search
expensive
What does C+W do to find better attacker loss than training loss L?
suggest several possible loss functions and compare them
What loss functions did C+W use?
f1(x’)
Training Loss - 1
f2(x’)
max(max i!=t (F(x’)i) - F(x’)t, 0)
f4(x’)
max(0, 0.5-F(x’)t)
f5(x’)
-log(2*F(x’)t)
f6(x’)
max(max i!= t(Z(x’)i)-Z(x’)t, 0)
=> works best apparently
How does C+W solve the box constraint (x’ element [0,1])?
either:
Clipping x after each update
works poorly for more complicated optimizers
clip in objective function f via min(max(x’, 0) 1)
convergence problems -> flat spots
change of variables
How to C+W replace variables to fulfill box constraints?
x’ = 1/2(tanh(w)+1)
-> forces to be in [0,1]
=> basically map x with fucntion that always maps between [0,1]
What is the final approach of C+W?
arg min w
|| x - 0.5(tanh(w)+1)||
+
c *f_6(0.5(tanh(w)+1), t)
Summary of C+W in comparison wiht other attacks
strong attack, better than baseline
expensive (due to finding c empirically e.g. binary search)
no threshold epsilon for maximal distortion
as opposed to FGSM and iterative FGSM
distortion controlled via hyperparameter c
-> FGSM fast
-> C+W good
What is the t in CW?
the target label…
What is the carlini wagner thing that has to be fulfilledß
f_k(x’) <= 0
Last changed2 years ago