# Task 1 Report

Objective: Generate adversarial examples based on the undefended model.

We will be approaching this using the Fast Gradient Sign Method, Projected Gradient Descent, and the Basic Iterative Method. Using these methods, we will have parameters that can be changed to optimize our adversarial examples to ensure the optimization of the machine learning models. The results can be recreated by running the Jupyter notebook Task1.ipynb under the notebooks folder. 

# Contribution

The team collaboratively worked on the project together over Discord. Each of the members have given their input on which attack to use, and which values to put in as the parameters. The contribution in the report is equally shared by everyone. Alex Tsai made a Jupyter Notebook which runs through all the steps in order to get the desired results.  

# Subsampling

For this task, the team has decided to take subsamples from the total pool of samples in order to reduce the runtime when generating adverserial example as well as the evaluation. 
Under data.py, the parameter "ratio" as shown in the code below: 

In [None]:
def subsampling(data, labels, num_classes, ratio=0.05, filepath=None, filename=None)

has been modified to take only 5% of the total samples instead of the default which was 10%.
Thus, the accuracy of the experiment may be affected by the change in the number of samples by doing so. 

# Generating Adverserial Examples

To generate the adverserial attacks, the team has chosen Fast Sign Gradient Method(FGSM), Project Gradient Descent(PGD), and Basic Iterative Method(BIM). Each of these attacks have four variants, each with modified parameters to see how much the image is perturbed, and how it effects the error rate of the prediction. The total number of attacks that we have generated is 12.

# Fast Gradient Sign Method

The FGSM takes the sign of the gradient and multiplies it by an epsilon and adds the result to the image. On small values of epsilon, the image is visually similar to the human eye but its classification can be completely changed, or the confidence level of the prediction is reduced. The "fast" in its name comes from the fact that it does not do an iterate procedure in order to generate adverserial examples which makes it faster than many other methods. 

## Parameters:

In [None]:
{
  "configs0": {
    "attack": "fgsm",
    "description": "FGSM_eps0.01",
    "eps": 0.01
  },
  "configs1": {
    "attack": "fgsm",
    "description": "FGSM_eps0.05",
    "eps": 0.05
  },
  "configs2": {
    "attack": "fgsm",
    "description": "FGSM_eps0.1",
    "eps": 0.1
  },
  "configs3": {
    "attack": "fgsm",
    "description": "FGSM_eps0.2",
    "eps": 0.2
  }
}

## Results


| Parameter | Image | Error Rate |
| :---: | :---: | :---: |
|eps0.01 | <img src="ae_images/task1-FGSM_eps0.01-190371.718.png"> | 0.018 | 
|eps0.05 | <img src="ae_images/task1-FGSM_eps0.05-190374.765.png"> | 0.082 |
|eps0.1 | <img src="ae_images/task1-FGSM_eps0.1-190377.875.png"> | 0.242|
|eps0.2 | <img src="ae_images/task1-FGSM_eps0.2-190381.14.png"> | 0.742 |

Looking at the results, with increasing value of the epsilon, the error rate goes up and the image gets more distorted as expected.

## Evaluation


|| Undefended Model | Vanilla Athena | PGD-ADT |
| :--- | :--- | :--- | :--- |
|FGSM-eps0.01 |  0.006072874493927126 | 0.0020242914979757085 | 0.004048582995951417  |
|FGSM-eps0.05 |  0.06882591093117409 | 0.0020242914979757085 | 0.010121457489878543  |
|FGSM-eps0.1 |  0.22874493927125505 | 0.012145748987854251 | 0.02631578947368421  |
|FGSM-eps0.2 |  0.728744939271255 | 0.06882591093117409 | 0.05668016194331984  |



# Project Gradient Descent

The PGD attack is an iterative attack, which can be seen as a replica of FGSM -- K-FGSM(K represents the numbers of iterations). The general idea of FGSM is that one iteration is a big step while PGD does multiple iterations. Each iteration is a small step, and each iteration will disturb clip to the specified range.

## Parameters:

In [None]:
{
    "configs4": {
    "attack": "pgd",
    "description": "PGD_eps0.05",
    "eps": 0.05
  },
    "configs5": {
    "attack": "pgd",
    "description": "PGD_eps0.2",
    "eps": 0.2
  },
    "configs6": {
    "attack": "pgd",
    "description": "PGD_eps0.5",
    "eps": 0.5
  },
    "configs7": {
    "attack": "pgd",
    "description": "PGD_eps0.7",
    "eps": 0.7
  }
}

## Results

| | Image | Error Rate |
| :- | :---: | :-: |
| eps0.05 | <img src = "ae_images/task1-PGD_eps0.05-190395.062.png">| 0.124 |
| eps0.2 | <img src = "ae_images/task1-PGD_eps0.2-190414.609.png">| 0.996 |
| eps0.5 | <img src = "ae_images/task1-PGD_eps0.5-190444.796.png">| 1.0 |
| eps0.7 | <img src = "ae_images/task1-PGD_eps0.7-190474.515.png">| 1.0 |

Looking at the results, the error rate seems to exponentially increase as the increase in epsilon between the first and second example was just 0.15 and yet the error rate went up by 87%. Each point increase in epsilon increases the error rate by a substantial amount. 

## Evaluation

|| Undefended Model | Vanilla Athena | PGD-ADT |
| :--- | :--- | :--- | :--- |
|PGD_eps0.05 |  0.10931174089068826 | 0.004048582995951417 | 0.010121457489878543  |
|PGD_eps0.2 | 0.9838056680161943| 0.06477732793522267 | 0.058704453441295545 |
| PGD_eps0.5 | 0.9878542510121457 | 0.7874493927125507 | 0.680161943319838 |
|PGD_eps0.7 | 0.9878542510121457 | 0.8967611336032388 | 0.951417004048583 |



# Basic Iterative Method

The BIM applies FGSM in multiple steps by running FGSM with a small epsilon step size, applying it to the image, then uses the newly modified image in the next iteration for FGSM. This is slower than FGSM because of its iterative procedure. 

## Parameters:

In [None]:
{
    "configs8": {
    "attack": "bim",
    "description": "BIM_eps0.1_iter20",
    "eps": 0.1,
	"max_iter": 20
  },
    "configs9": {
    "attack": "bim",
    "description": "BIM_eps0.1_iter30",
    "eps": 0.1,
	"max_iter": 30
  },
    "configs10": {
    "attack": "bim",
    "description": "BIM_eps0.1_iter40",
    "eps": 0.1,
	"max_iter": 40
  },
    "configs11": {
    "attack": "bim",
    "description": "BIM_eps0.5_iter40",
    "eps": 0.5,
	"max_iter": 40
  }
}

## Results

| Parameter | Image | Error Rate |
| :---: | :---: | :---: |
|eps0.1_iter20 | <img src="ae_images/task1-BIM_eps0.1_iter20-190523.968.png"> | 0.86 | 
|eps0.1_iter30 | <img src="ae_images/task1-BIM_eps0.1_iter30-190592.64.png"> | 0.904 |
|eps0.1_iter40 | <img src="ae_images/task1-BIM_eps0.1_iter40-190667.359.png"> | 0.906|
|eps0.5_iter40 | <img src="ae_images/task1-BIM_eps0.5_iter40-190738.578.png"> | 1.0 |

With the parameters used, it seems to be that BIM is very effective at fooling the model even with a low epsilon value. Number of iterations do not seem to affect the error rate as much as the epsilon does. 

## Evaluation

|| Undefended Model | Vanilla Athena | PGD-ADT |
| :--- | :--- | :--- | :--- |
|BIM-eps0.1_iter20 |  0.8481781376518218 | 0.010121457489878543 | 0.02834008097165992  |
|BIM-eps0.1_iter30 |  0.8927125506072875 | 0.010121457489878543 | 0.02834008097165992  |
|BIM-eps0.1_iter40 |  0.8967611336032388 | 0.010121457489878543 | 0.030364372469635626  |
|BIM-eps0.5_iter40 |  0.9878542510121457 | 0.902834008097166 | 0.9757085020242915  |
