CW efficiency improvement and bug fix, add CW binary search version, early stop PGD version, support L0 and Linf for CW and CWBS, rewrite FAB attack.
#168
Conversation
…lation of the F function of the CW attack, and add CW attack binary search version
rikonaka
changed the title
Codecov ReportAttention: Patch coverage is
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #168 +/- ##
==========================================
+ Coverage 73.37% 76.69% +3.32%
==========================================
Files 44 54 +10
Lines 3827 4931 +1104
Branches 578 604 +26
==========================================
+ Hits 2808 3782 +974
- Misses 862 979 +117
- Partials 157 170 +13
... and 5 files with indirect coverage changes Continue to review full report in Codecov by Sentry.
|
rikonaka
changed the title
L0 and Linf for CW and CWBS.
|
I think the calculation of |
Thank you very much for your advice, but this And you mentioned that logits may be negative, the original author's code also directly used the value before softmax.
So this should be correct 😉. |
Thanks for the quick response. I think you misunderstand the issue. A quick fix of cwl2.py#L146 would be like: other = torch.max((1 - one_hot_labels) * outputs - one_hot_labels*10000., dim=1)[0] |
Good question, well, in here we will pick the maximum value of the logits except true label, so if here we only have 1 images, the outputs will be Then we used the So the In Tensorflow, the original author subtracts that value (
So the situation where all logits are negative that you are worried about will not happen 😉. |
However, there is no such guarantee that the output logits must be non-negtive in pytorch, for arbitrary models under any training methods. |
😵💫 The same, there is also no such guarantee that the output logits must be negative in pytorch, for arbitrary models under any training methods. If you can provide any evidence that the logits output of some model is all negative, it may be able to further support your argument. |
That is not the point. The point here is that we need to cover all cases, even though some of them are rare. Here are some other implementations of CW f_func in pytorch for reference: |
Thanks for your suggestion 👍, I will rewrite this |
…s of the graph are freed when you call .backward() or autograd.grad().`
|
Thanks for the effort you made to improve the implementation of CW in this library. I had one suggestion, and correct me if it is not feasible to implement, but wouldn't it be better if you aliased one of the variants of You could use the version of |
Thank you very much for your suggestion. I will move |
… algorithm (they are essentially one and the same)
… algorithm (they are essentially one and the same)
rikonaka
changed the title
L0 and Linf for CW and CWBS.L0 and Linf for CW and CWBS, rewrite FAB attack.
…respondence with the pseudo-code in the paper
…respondence with the pseudo-code in the paper
PR Type and Checklist
What kind of change does this PR introduce?
othercalculation error whenlogitsare all negative numbers. Thanks to @ZaberKo for providing suggestions.CWL2toCW, thanks to @Adversarian suggestions 😉.L0andLinffor CW.ESPGD(Early-Stopped PGD Version from paper Attacks Which Do Not Kill Training Make Adversarial Learning Stronger https://arxiv.org/abs/2002.11242).robustbenchfor automated testing because of the unpredictable variety of bugs, The model loading in the demo seems to have become inactive[BUG] #166, UnpicklingError: invalid load key, '<'. RobustBench/robustbench#165, https://colab.research.google.com/drive/1M8zINns6rEFd09_wzhDvDvcktbffXn7D?usp=sharing, https://github.com/Harry24k/adversarial-attacks-pytorch/actions/runs/7707665395/job/21005241730?pr=168CW attack fix
There is an obscure bug in the original CW attack code
Ffunction.In CW original code from Carlini, the
realis calculate ashttps://github.com/carlini/nn_robust_attacks/blob/c6b8f6a254e82a79a52cfbc673b632cad5ea1ab1/l2_attack.py#L96
It was a sum, but in
torchattacks, it become max, I discovered this problem accidentally 😋.adversarial-attacks-pytorch/torchattacks/attacks/cw.py
Line 136 in 936e86d
I also reduced the large number of tensor
detech()operations andview()operations in the original code, instead used index to assign tensors, its more simple and efficiency.At the same time, I also added the binary search version of CW (CWBS), issues #167 . Binary search can indeed significantly reduce the size of the perturbations. The red line is the value of
best_L2.I tested three cw attack algorithms
L0,L2andLinfand found that 100% attack success rate can be achieved on 50 test images.And its pertubations is still invisible.
FAB attack fix
The original FAB code was too complicated and difficult to maintain, so I rewritten the FAB attack and split L1, L2 attacks into separate files, and I found that previous FAB code when the user specifies a target label, it does not work good with the target attack.
The old FAB code is rename as
AFABso that it could be used inautoattack.In the FAB code
forward()functionadversarial-attacks-pytorch/torchattacks/attacks/fab.py
Line 84 in 23620a6
There are no parameters for the target label, in contrast, the FAB target attack requires both labels, one for the original label and the other for the target label.
adversarial-attacks-pytorch/torchattacks/attacks/fab.py
Line 127 in 23620a6
But there is only one label entered in the entire code. If the user wants to specify the target label to be used for the attack, since there is only one label input, the computation of the code related to the target attack will actually be meaningless.
adversarial-attacks-pytorch/torchattacks/attacks/fab.py
Line 132 in 23620a6
For example, here
la=la_target, thendiffyhere is meaningless.I'll try to fix this, but don't have any clue at the moment because we need to enter two labels for the attack, which conflicts with the existing framework. So first submitted the FAB attack without the target attack version now.FAB target attack has been completed.