| | C&W attack | (1e − 4, 5, 500, 0) | (1e − 4, 5, 500, 8) | (1e − 4, 5, 500, 12) | (1e − 4, 5, 500, 14) | (1e − 4, 5, 500, 15) |
| | ASR | 62.3% | 44.6% | 44.6% | 42.6% | 42.3% | | PSNR (dB) | 39.94 | 40.78 | 39.57 | 39.00 | 38.40 | | Prob. true class | (B) 0.881 (A) 0.251 | (B) 0.881 (A) 0.153 | (B) 0.881 (A) 0.084 | (B) 0.881 (A) 0.043 | (B) 0.881 (A) 0.021 | | Prob. target class | (B) 0.013 (A) 0.328 | (B) 0.013 (A) 0.534 | (B) 0.013 (A) 0.721 | (B) 0.013 (A) 0.843 | (B) 0.013 (A) 0.914 |
| | Proposed attack | (1e − 4, 5, 500, 0) | (1e − 4, 5, 500, 1.5) | (1e − 4, 5, 500, 2.5) | (1e − 4, 5, 500, 4.0) | (1e − 4, 5, 500, 5.0) | | ASR | 88.0% | 87.6% | 86.3% | 85.1% | 82.7% | | PSNR (dB) | 38.53 | 37.48 | 37.02 | 36.07 | 35.40 | | Prob. true class | (B) 0.908 (A) 0.194 | (B) 0.908 (A) 0.063 | (B) 0.908 (A) 0.024 | (B) 0.908 (A) 0.005 | (B) 0.908 (A) 0.001 | | Prob. target class | (B) 0.009 (A) 0.546 | (B) 0.009 (A) 0.824 | (B) 0.009 (A) 0.923 | (B) 0.009 (A) 0.981 | (B) 0.009 (A) 0.993 |
|
|
The parameters of the attacks are indicated according to the following format: (starting point, number of steps of binary search, max iterations, confidence). Prob. true and target class indicate the probabilities of the original (true) and target classes, before (B) and after (A) the attack.
|
