Table 6 Classification error (%) on the first 1000 test samples (CIFAR-10) for the multi-channel system against the direct black-box OnePixel attacks with randomly selected channels (the average results over 10 runs)
Data type | Attacked KDA | ||
|---|---|---|---|
# channels · # classifiers | |||
3 | 5 | 7 | |
VGG16 | |||
Original | 11.7 | 9.5 | 9.3 |
OnePixel p=1 | 11.3 | 9.6 | 9 |
OnePixel p=3 | 11.5 | 9.8 | 8.9 |
OnePixel p=5 | 12 | 10.6 | 9.4 |
ResNet18 | |||
Original | 11.1 | 9.7 | 8.8 |
OnePixel p=1 | 11.1 | 9.2 | 8.9 |
OnePixel p=3 | 11.4 | 9.6 | 8.8 |
OnePixel p=5 | 10.9 | 9.8 | 9.1 |