Table 2 Classification error (%) on the first 1000 test samples (CIFAR-10) for the gray-box PGD transferability attacks from a single-channel model to a multi-channel model with randomly selected channels (the average results over 10 runs)
Data type | Attacked | Transferability | Transferability KDA | |||
|---|---|---|---|---|---|---|
vanilla | vanilla | # channels · # classifiers | ||||
3 | 5 | 7 | 9 | |||
VGG 16 | ||||||
Original | 10.7 | 11.7 | 11.6 | 9.9 | 9.5 | 9 |
PGD | 16.1 | 15.2 | 14.25 | 12.16 | 11.75 | 11 |
ResNet 18 | ||||||
Original | 9.5 | 10.6 | 11.7 | 9.3 | 8.8 | 8.1 |
PGD | 17.9 | 14.9 | 14.7 | 11.29 | 10.67 | 9.7 |