# Basic Iterative Method

The Basic Iterative Method (BIM) from Adversarial Examples in the Physical World is a simple extension of the Fast Gradient Sign Method, where instead of taking one large step, it takes an iterative approach by applying FGSM multiple times to an image with step size $\alpha$, the change in pixel value per iteration. The resulting adversary can then be clipped to limit the maximum perturbance for each pixel.

Iterative methods like the BIM are slower, but generally produce more successful and subtle perturbation to images.

First, a clean image $X$ is used for initialization in iteration $N=0$

$$\tag{2.1} \widetilde{X}_{0} = X$$

Using this image a step similar to equation (1.2) from the FGSM is performed:

$$\tag{2.2} X^{\prime}_{1} = \widetilde{X}_{0} + \alpha sign(\nabla_{X} J(\widetilde{X}_{0}, Y_{true}))$$

The adversarial example is then clipped to ensure that all pixel values are within the bounds of epsilon and the maximum and minimum pixel intensities:

$$\tag{2.3} \widetilde{X}_{1} = min ( 255, X + \epsilon, max ( 0, X-\epsilon, X^{\prime}_{1} ))$$

Repeat these steps for $N$ iterations to get the final adversary. In the results section 2.2 we investigate how the number of iterations as well as the choices for epsilon and alpha influence the success of an attack. In the paper the authors suggest the following values for the hyperparameters:

• For alpha: $\alpha = \frac{1}{255}$
• Number of iterations: $min(4+\frac{\epsilon}{\alpha}, 1.25 \cdot \frac{\epsilon}{\alpha} )$

$\alpha$ is chosen to be one pixel intensity value and the number of iterations is calculated to ensure enough steps to allow a pixel to reach the maximum adversarial perturbance, $\epsilon$.

We implement BIM as follows:

Note that we normalize $\alpha$ channel-wise in line 38 since we are working with standardized and scaled images as inputs.