paper notes:
1.this paper introduced three new attacks for L-0 L-2 L-infin distance metrics by defining different choices of objective function. Specifically, they are all based on the L-2 attack.
2.these attacks successfully beat defensive distillation. And high-confidence adv examples in a simple transferability also beat the defensive distillation.
they first summurize previous attack algorithms including L-BFGS, Fast Gradient Sign, JSMA, Deepfool.
And they tried different objective function and transform the optimization function.
and then give the three attacks:
L-2
L-0 L-infin are based on L-2.
they successfully applied attacks on distilled networks.
and also found that transferability works on the distilled network.
Strengths:
1.tried different objective function and applied by different metrics.
2.defeat defensive distillation networks by their attacks and high-confidence tranfered examples and preliminarily explain why previous attacks fail.
Detailed comments, possible improvements, or related ideas:
1. construct and evaluate a good distance metric to perfect measure of human perceptual similarity.
2. why all-black image was initially classified as 1 and all-white image was initially classified as 8
3. why fast gradient sign fails on defensive distillation after divide the logits by temperature T, where the authors said they cannot explain.