Revisiting and Expanding Targeted Universal Adversarial Perturbations

Major thoughts I have after reading the paper:

1. The paper's impact is mostly based on using the known concepts (UAP, Ordered Top-K) and techniques (KL-based, QP-based adversarial generation methods), so that's why we can see a lot of great and rigorous empirical work. In this case, the reader expects to find the answers that were somehow raised in this exploration:

• Why QP-based method is generally working better than KL-based for $K>1$ ? There is an answer about the behavior in case of $K=1$, but nothing about the former case.
• In Table 3, for the test models (last 6 rows) we should have approximately similar ASR values for both $D_{test}$ and $D_{train}$ (because these models were not used for the training at all, we are testing the transferability of the method). Why it is not the case?

2. There are some words about the trade-off between ASR and the norm of perturbations (e.g., in Section 3.2.3, Table 4). While the hypothesis behind it seems valid, in order to justify it the another set of experiments should be done: fix the max norm of perturbations and compare ASRs. In the paper (nor in the Appendix) I haven't found such experiments
3. There is a strong statement from the Conclusion Section (Lines 535-537) that "perturbations themselves in isolation will be classified by the DNN with the top-K predictions equal to the ordered top-K targets (K ≥ 1)", but actually there were no any quantitative check of this statement through the paper text.

Minor remarks:

• a. Line 181: $T \notin \hat{Y}_w(x_i)$ should be something like $T \neq \hat{Y}_w(x_i)[1:K]$ ?
• b. For KL-based criteria, I guess we should use only probabilities induced by $T$ indices, so e.g. the Eq. (10) (Line 230) should be somehow modified so we are not using the full $\hat{P}_{\Theta_s}(x'_i)$, but only the indices from $T$?
• c. There is statement that for ensemble-based UAPs are looking more "semantically meaningful" (Line 491), but no any further discussion on it and its reasons
• d. Lines 793-794: missed the Eq. numbers (referring the main paper)

1. The paper does not compare their proposed attack against any existing methods. Although the existing methods for creating targeted UAPs are listed under references, there is no actual reference to them in the problem formulation or experiments. Please explain what differentiates the design choices of AllAttacK from these approaches. It is also acceptable to modify the existing methods to fairly evaluate against AllAttacK.

2. What is meant by the 'best', 'worst', and 'mean' cases in the experiments? The description in the text does not make sense ('best' and 'worst' have the same word-to-word explanation, and the sentence doesn't make sense).

3. There are several typos in the paper, including grammatical errors. Some instances include:

   a) The last line of the abstract.

   b) The repeated mention of the "shear complexity of ...". What does this mean? Assuming the intended word is "sheer"?

   c) Line 176 "images for each in ImageNet1k". For each what?

   d) Line 164, "axies".

1. As an ICLR paper, the demonstration is super important. I have stated that the illustration is good in strengths. However, some too small fonts make my eyes exhausted. Figure 1 is fine; figure 2 x, y axis marks are too small; Table 2 headers are no way that I can see clearly; Table 3-5 for me is fine but I don't think they are OK for other reviewers;
2. Please try your UAP on Multi-modality model. For example, feed your image into chat gpt in a black-box manner, will they succeed?

• Although the proposed method presents one of the hardest adversarial attacks, it is built on two existing (relatively simpler) adversarial attacks.
• The main issue with the draft is the ineffectiveness of the crafted UAPs. The draft claims (line 76) that the proposed method crafts a doubly transferable ordered top-K UAPs. However, the Attack Success Rate (ASR) presented in the experiments is not convincing. In particular, Table 3 demonstrates numbers that are not very impressive when attacking unknown (test) models. Some numbers are close to zero (despite crafting on 18 disparate DNN models). Even the ASR for some of the known (train) models also is very low (e.g., MLPMixer).
• A good number of entries in (Tables 2 and 3) do not support the paper's main claim that it crafts a transferable ordered top-K attack.

1. Lack of explanantion of problem formulation of AllAttacK. The authors extend UAPs through 3 dimensions: model, data and target, resulting in the challenging formulation of AllAttacK. However, I believe more explanation are needed on 1) why we need to consider such challenging setup, especially the ordered top-K targeted attacks? What would be the benefit comapred to vallina UAPs? 2) On the model and data dimension, what's the exact difference between AllAttacK and UAPs?

2. The optimization of proposed formulation seems expensive. To solve the challenging model-agnostic and data-agnostic UAPs, the author proposed two optmization formulations (Eq. 9 and Eq. 14). However, both of them requires to train on full training images and training models, which is an combination of $|D^{train}| * |M^{train}|$ examples. I'm wondering the exact computation cost of AllAttacK. How long do one need to train till convergence.

3. The evaluation is limited given the challenging setup. The problem considers data-agnostic and model-agnostic ordered top-K targeted attacks. However, 1) the proposed algorithm is only evaluated on ImageNet, how would it work on other datasets? 2) In the final experiments, 18 models are used for training and 6 unseen models are used for test, how to ensure the empirical conclusion is generalizable to other model architectures? 3) For top-K target attacks, what is the performance variance given different combination of targets?

4. Lack of baselines. How do existing methods work on this setup? More analysis is needed to know on which part the proposed optimization formulations would improve compared to existing methods.