Homework 1: Gray-box Attack

  • Due Mar 27, 2024 by 11:59pm
  • Points 10
  • Submitting a file upload
  • File Types zip

You will create untargeted adversarial examples to attack models for the CIFAR-100 classification task. (https://www.cs.toronto.edu/~kriz/cifar.html).

Your goal is to bring down the model accuracy as much as possible.

Five models will be chosen from this repository: https://github.com/osmr/imgclsmob Links to an external site. Some preprocessing defenses may be used to improve the model's robustness.

 

You are allowed to change each pixel of the input image up to epsilon=8 on the 0-255 pixel scale. Of course, each pixel after the perturbation still needs to be within 0 to 255 in order to be a valid image.

Your attack will be evaluated based on the accuracy of the evaluation set (download here Links to an external site.), which consists of 500 images from CIFAR-100 (5 images of each class, each image is named i_j.png where i is the class ID and j is a number from 0 to 4).

You can use any programming language and packages. Please add a README.txt file to tell people how to run your code.

You need to write a report describing your methods.  You can talk about, for example,  why you choose certain (combination of) methods and any internal experiments that you did (e.g., accuracy on substitute models, or against popular defenses). Please write it using Latex with the NeurIPS conference template (https://neurips.cc/Conferences/2023/PaperInformation/StyleFiles Links to an external site.). Report length is at most 4 pages, excluding references (please cite the work that you used in this homework).

 

Submission format:

Put everything in a folder named "hw1_(your_student_id)".

Put the report in the first layer of the folder, with name "hw1_(your_student_id).pdf"

Put your code in a sub-folder named "src". Please include a README.txt file here.

Put your 500 generated adversarial images in a folder named "adv_imgs", and use the same file names as those in the evaluation set that you downloaded, i.e., i_j.png is the adversarial counterpart of i_j.png in the original benign evaluation set.

So, your folder will look like this.

hw1_(your_student_id)

   |  - hw1_(your_student_id).pdf

    | - src/

    | - adv_imgs/

        | - 0_0.png

        | - 0_1.png

        ...

        | - 99_4.png 

Then compress this folder into hw1_(your_student_id).zip

 

Grading policy:

5% on the accuracy

5% on the report (novelty, clarity, evaluation completeness)

 

Late submission:

The late submission policy is as follows: raw score * max((1-0.2*n), 0),
where n is the number of days late, rounding up to the nearest integer.
1711555199 03/27/2024 11:59pm

Rubric

Find Rubric
Keep in mind that 33 students have already been assessed using this rubric. Changing it will affect their evaluations.
Some Rubric
Some Rubric
Criteria Ratings Pts
Edit criterion description Delete criterion row
Performance
We evaluated your submitted images. (5pts)
threshold: pts
Edit rating Delete rating
5 pts
Full Marks
Edit rating Delete rating
0 pts
No Marks
pts
5 pts
--
Additional Comments
Edit criterion description Delete criterion row
Report
5pts
threshold: pts
Edit rating Delete rating
5 pts
Excellent
The report provides insightful analysis and demonstrates critical thinking with well-supported arguments.
Edit rating Delete rating
4 pts
Good
The report includes analysis with some critical thinking, though arguments may not be fully developed or supported. Miss some analysis.
Edit rating Delete rating
3 pts
Satisfactory
The report includes only basic analysis, and lacks depth in critical thinking and argument support.
Edit rating Delete rating
1 pts
Needs Improvement
The report attempts analysis, but lacks lot of experiment, critical thinking and contains poorly supported arguments.
Edit rating Delete rating
0 pts
No Marks
pts
5 pts
--
Additional Comments
Total Points: 10