Table 5 Classification error (%) on the first 1000 test samples for the gray-box C&W transferability attacks from a single-channel model to a multi-channel model with randomly selected channels (the average results over 10 runs)
Data type | Transferability KDA | ||
|---|---|---|---|
# channels · # classifiers | |||
3 | 5 | 7 | |
MNIST | |||
Original | 0.6 | 0.5 | 0.6 |
C&Wℓ2 | 5.06 | 4.77 | 4.44 |
C&Wℓ0 | 7.77 | 7.3 | 7.12 |
C&Wℓ∞ | 3.41 | 3.12 | 2.77 |
Fashion-MNIST | |||
Original | 8.2 | 8.2 | 8.1 |
C&Wℓ2 | 9.4 | 9.1 | 8.84 |
C&Wℓ0 | 10.58 | 10.52 | 10.27 |
C&Wℓ∞ | 9.33 | 9.09 | 8.83 |
CIFAR-10 | |||
Original | 21.2 | 20.5 | 19.9 |
C&Wℓ2 | 22.92 | 21.22 | 21.1 |
C&Wℓ0 | 27.82 | 25.46 | 24.33 |
C&Wℓ∞ | 24.57 | 22.33 | 21.86 |