# Task 2 Option 1 Report
Goal: Generate adversarial examples for the Vanilla ATHENA, using optimaztion-based white-box attack.

# Approaches

We will be approaching this using the Fast Gradient Sign Method with EOT enable, and Projected Gradient Descent with EOT enable. Using these methods, we will have parameters that can be changed to optimize our adversarial examples to ensure the optimization of the machine learning models. The results can be recreated by running the Jupyter notebook Task2.ipynb under the Task2 folder. 

# Fast Gradient Sign Method
The FGSM takes the sign of the gradient and multiplies it by an epsilon and adds the result to the image. On small values of epsilon, the image is visually similar to the human eye but its classification can be completely changed, or the confidence level of the prediction is reduced. The "fast" in its name comes from the fact that it does not do an iterate procedure in order to generate adverserial examples which makes it faster than many other methods.

# Tunable Parameters

In [None]:
{
"configs6": {
    "attack": "fgsm",
    "description": "FGSM_eps0.05EOT_ON",
    "eps": 0.05,
    "distribution": {
      "num_samples": 500,
      "transformation": "rotation",
      "min_angle": -45,
      "max_angle": 45
    }
  },
  "configs7": {
    "attack": "fgsm",
    "description": "FGSM_eps0.1EOT_ON",
    "eps": 0.1,
    "distribution": {
      "num_samples": 500,
      "transformation": "rotation",
      "min_angle": -45,
      "max_angle": 45
    }
  },
  "configs8": {
    "attack": "fgsm",
    "description": "FGSM_eps0.2EOT_ON",
    "eps": 0.2,
    "distribution": {
      "num_samples": 500,
      "transformation": "rotation",
      "min_angle": -45,
      "max_angle": 45
    }
  },
  "configs9": {
    "attack": "fgsm",
    "description": "FGSM_eps0.5EOT_ON",
    "eps": 0.5,
    "distribution": {
      "num_samples": 500,
      "transformation": "rotation",
      "min_angle": -45,
      "max_angle": 45
    }
  }
}

# Results

| Parameter | Image | Image | Error Rate |
| :---: | :---: |:---:| :---: |
|FGSM0.01 | <img src="../results/FGSM_eps0.01EOT_ON-0.png"> | <img src="../results/FGSM_eps0.01EOT_ON-1.png"> | 0.01 | 
|FGSM0.05 | <img src="../results/FGSM_eps0.05EOT_ON-0.png"> | <img src="../results/FGSM_eps0.01EOT_ON-1.png"> | 0.008 |
|FGSM0.1 | <img src="../results/FGSM_eps0.1EOT_ON-0.png"> | <img src="../results/FGSM_eps0.1EOT_ON-1.png"> | 0.022 |
|FGSM0.2 | <img src="../results/FGSM_eps0.2EOT_ON-0.png"> | <img src="../results/FGSM_eps0.2EOT_ON-1.png"> | 0.05 |
|FGSM0.5 | <img src="../results/FGSM_eps0.5EOT_ON-0.png"> | <img src="../results/FGSM_eps0.5EOT_ON-1.png"> | 0.828 |


# Evaluations results


# Analysis

# Project Gradient Descent

The PGD attack is an iterative attack, which can be seen as a replica of FGSM -- K-FGSM(K represents the numbers of iterations). The general idea of FGSM is that one iteration is a big step while PGD does multiple iterations. Each iteration is a small step, and each iteration will disturb clip to the specified range.

# Tunable Parameters

In [None]:
  "configs0": {
    "attack": "pgd",
    "description": "PGD_eps0.05EOT_ON",
    "eps": 0.05,
    "distribution": {
      "num_samples": 500,
      "transformation": "translation",
      "min_offset": -0.2,
      "max_offset": 0.2
    }
  },
  "configs1": {
    "attack": "pgd",
    "description": "PGD_eps0.2EOT_ON",
    "eps": 0.2,
    "distribution": {
      "num_samples": 500,
      "transformation": "translation",
      "min_offset": -0.2,
      "max_offset": 0.2
    }
  },
  "configs2": {
    "attack": "pgd",
    "description": "PGD_eps0.5EOT_ON",
    "eps": 0.5,
    "distribution": {
      "num_samples": 500,
      "transformation": "translation",
      "min_offset": -0.2,
      "max_offset": 0.2
    }
  },
  "configs3": {
    "attack": "pgd",
    "description": "PGD_eps0.7EOT_ON",
    "eps": 0.7,
    "distribution": {
      "num_samples": 500,
      "transformation": "translation",
      "min_offset": -0.2,
      "max_offset": 0.2
    }
  },
  "configs4": {
    "attack": "pgd",
    "description": "PGD_eps0.1EOT_ON",
    "eps": 0.1,
    "distribution": {
      "num_samples": 500,
      "transformation": "translation",
      "min_offset": -0.2,
      "max_offset": 0.2
    }
  }

# Results

| Parameter | Image | Image | Error Rate |
| :---: | :---: |:---:| :---: |
|PGD0.05 | <img src="../results/PGD_eps0.05EOT_ON-0.png"> | <img src="../results/PGD_eps0.05EOT_ON-0.png"> | 0.012 | 
|PGD0.1 | <img src="../results/PGD_eps0.1EOT_ON-0.png"> | <img src="../results/PGD_eps0.1EOT_ON-1.png"> | 0.018 |
|PGD0.2 | <img src="../results/PGD_eps0.2EOT_ON-0.png"> | <img src="../results/PGD_eps0.2EOT_ON-1.png"> | 0.038 |
|PGD0.5 | <img src="../results/PGD_eps0.5EOT_ON-0.png"> | <img src="../results/PGD_eps0.5EOT_ON-1.png"> | 0.754 |
|PGD0.7 | <img src="../results/PGD_eps0.7EOT_ON-0.png"> | <img src="../results/PGD_eps0.7EOT_ON-1.png"> | 0.948 |

# Evaluation Results

Task 1 results are below

| Undefended Model | Vanilla Athena | PGD-ADT |
| :---: | :---: | :---: | 
|PGD_eps0.05 |  0.10931174089068826 | 0.004048582995951417 | 0.010121457489878543  |
|PGD_eps0.2 | 0.9838056680161943| 0.06477732793522267 | 0.058704453441295545 |
| PGD_eps0.5 | 0.9878542510121457 | 0.7874493927125507 | 0.680161943319838 |
|PGD_eps0.7 | 0.9878542510121457 | 0.8967611336032388 | 0.951417004048583 |

baseline adversarial examples are below

| Vanilla Athena Model | baseline error rates |
| :---: | :---: |
|PGD_eps0.075| 0.008468595624558928|
|PGD_eps0.082| 0.010081661457808247|
|PGD_eps0.09| 0.011694727291057565|
|PGD_eps0.1| 0.014517592499243875|
|PGD_eps0.11| 0.019659239842726082|

| Vanilla Athena Model (EOT on) | error rates |
| :---: | :---: |
|PGD_eps0.05 | 0.006072874493927126|
|PGD_eps0.1 | 0.022267206477732792|
|PGD_eps0.2 | 0.12753036437246965|
|PGD_eps0.5 | 0.8866396761133604|
|PGD_eps0.7 | 0.9655870445344129|

# Analysis
Vanilla Athena with EOT attack version is more effective compared to the given original Vanilla Athena. For 

# Contribution
Nick Bautista and Alex Tsai worked together making a Jupyter Notebook which. Landin Thorsted run evaluations on the baseline adversary examples.