有关对抗样本攻击的问题
Closed this issue · 2 comments
lequied commented
您好,为什么每个攻击方法都是,首先随机初始化扰动,然后使用攻击方法,对扰动求梯度,并更新梯度,最后把最新更新的梯度加上,从而形成了最终的对抗样本。而我们在制作对抗样本的时候,不应该是要对对抗样本整体做更新吗?难道这两者是等价的吗?能否解答一下,谢谢
xiaosen-wang commented
Generating adversarial example is to generate the adversarial perturbation, which is added to the benign sample to craft adversarial example. For iterative attack, we feed the current adversarial example, i.e., the benign sample with the current perturbation, to calculate the gradient to update the perturbation.
zqyjww commented
May I ask if I can try to generate adversarial samples using ResNet50 or ResNet152 as proxy models? For example, Python main. py -- input_ir/ path/to/data --output_dir adv_data/logit/resnet18_targeted --attack logit --model=resnet50 --targeted