$\sigma$-zero: Gradient-based Optimization of $\ell_0$-norm Adversarial Examples
Authors: Antonio Emanuele Cinà, Francesco Villani, Maura Pintor, Lea Schönherr, Battista Biggio, Marcello Pelillo
ICLR 2025 | Venue PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Extensive evaluations using MNIST, CIFAR10, and Image Net datasets, involving robust and non-robust models, show that ε-zero finds minimum ω0-norm adversarial examples without requiring any time-consuming hyperparameter tuning, and that it outperforms all competing sparse attacks in terms of success rate, perturbation size, and efficiency. |
| Researcher Affiliation | Academia | 1Department of Computer Science, Bioengineering, Robotics and Systems, University of Genoa, Italy 2Department of Electrical and Electronic Engineering, University of Cagliari, Italy 3CISPA Helmholtz Center for Information Security, Germany 4Department of Environmental Sciences, Informatics and Statistics, Ca Foscari University of Venice, Italy |
| Pseudocode | Yes | Algorithm 1 ε-zero Attack Algorithm. |
| Open Source Code | Yes | Code is available at https://github.com/sigma0-advx/sigma-zero. |
| Open Datasets | Yes | We consider the three most popular datasets used for benchmarking adversarial robustness: MNIST (Le Cun & Cortes, 2005), CIFAR-10 (Krizhevsky, 2009) and Image Net (Krizhevsky et al., 2012). |
| Dataset Splits | Yes | To evaluate the attack performance, we use the entire test set for MNIST and CIFAR-10 (with a batch size of 32), and a subset of 1000 test samples for Image Net (with a batch size of 16). |
| Hardware Specification | Yes | We measure the runtime on a workstation with an NVIDIA A100 Tensor Core GPU (40 GB memory) and two Intel Xeo Gold 6238R processors. |
| Software Dependencies | No | The paper mentions using default hyperparameters from original implementations in "Adversarial Lib (Rony & Ben Ayed) and Foolbox (Rauber et al., 2017)", but does not provide specific version numbers for these or other software components. |
| Experiment Setup | Yes | We set the maximum number of iterations to N = 1000 to ensure that all attacks reach convergence (Pintor et al., 2022). For ε-zero, we set ϑ0 = 1, ϖ0 = 0.3, t = 0.01, and ε = 10 3, and keep the same configuration for all models and datasets. |