Some question about computing the adversarial saliency map in JSMA attack about adversarial-robustness-toolbox HOT 3 OPEN

Hi @HIT1180300227 I think this implementation of JSMA is neglecting the additional terms on gradients towards classes other than the target class. Have you been able to use the attack successfully?

from adversarial-robustness-toolbox.

Hi @beat-buesser ,

I use JSMA method in ids(intrusion detection system) field.Specifically, I use the targeted JSMA method on the statistical feature vectors as follows:

art_classifier = KerasClassifier(model=model, use_logits=False)
attack = SaliencyMapMethod(classifier=art_classifier, theta=theta, gamma=gamma, batch_size=1,verbose=True)

#x_test are original statistical feature vectors 
targeted_x_test_jsma = attack.generate(x=x_test,y=numpy_targets)

Before using jsma attack,I can get 90% classification accuracy.After using this attack method, the classification accuracy will be reduced to 20%.

It seems that although the implementation of this attack method is not consistent with the original paper, it can still successfully confuse the classification model.

Why does the jsma attack still work?

from adversarial-robustness-toolbox.

Hi @HIT1180300227 I think it still works because the main component of the gradients is the same, e.g. the direction in which the current classes' logit value decreases. The paper is more accurate by requiring additional terms for updates to this direction to make sure the other logins are not increasing. It looks that for many applications these additional therms might be small/negligible, but it would be more complicated to implement.

from adversarial-robustness-toolbox.