[PyTorch] Changing layers from torch.nn.functional to torch.nn affects attack accuracy.

[KarthikGanesan88]

Hi, I am using PyTorch with ART and if I swap the layers in my model from torch.nn.functional versions to the torch.nn versions, I am seeing big differences in attack accuracy. For example, in the get_started_pytorch.py file, when I run it as is, I get:

Accuracy on benign test examples: 98.24%
Accuracy on adversarial test examples: 40.62%

However, if I change the network to be this instead:

class Net(nn.Module):
    def __init__(self):
        super(Net, self).__init__()
        self.conv_1 = nn.Conv2d(in_channels=1, out_channels=4, kernel_size=5, stride=1)
        self.relu_1 = nn.ReLU(inplace=True)
        self.mp_1 = nn.MaxPool2d(2, 2)
        self.conv_2 = nn.Conv2d(in_channels=4, out_channels=10, kernel_size=5, stride=1)
        self.relu_2 = nn.ReLU(inplace=True)
        self.mp_2 = nn.MaxPool2d(2, 2)
        self.fc_1 = nn.Linear(in_features=4 * 4 * 10, out_features=100)
        self.relu_3 = nn.ReLU(inplace=True)
        self.fc_2 = nn.Linear(in_features=100, out_features=10)

    def forward(self, x):
        x = self.conv_1(x)
        x = self.relu_1(x)
        x = self.mp_1(x)
        x = self.conv_2(x)
        x = self.relu_2(x)
        x = self.mp_2(x)
        x = x.view(-1, 4 * 4 * 10)
        x = self.fc_1(x)
        x = self.relu_3(x)
        x = self.fc_2(x)
        return x

My results change to:

Accuracy on benign test examples: 97.46%
Accuracy on adversarial test examples: 14.74%

As far as I am aware, both of these networks should work the exact same way, but PyTorch recommends using the torch.nn versions instead of calling the torch.nn.functional functions directly. Is there something in ART that requires relu and maxpool2d to be called as functions during forward but not have them as layers in the model?

I also tried training both of these nets with PyTorch directly and got the same classification accuracy of 98% each time.

I am only showing the attack success change for FGSM but I see similar discrepancies for PGD, HopSkipJump, CarliniL2 and SaliencyMap.

[beat-buesser]

Hi @KarthikGanesan88 That's an interesting observation, but I don't think it is caused by your new model or ART. Running the original script multiple times usually results in adversarial accuracies around 35%, but sometimes results in values as low as 16% or as high as 50%. A possible reason could be that the model gets initialised and trained slightly different in each run. It could also be that the dataset MNIST is rather sensitive to small differences, maybe we should repeat the experiments with CIFAR10.
I think your new model is not exactly the same because it uses the inplace option for ReLU whereas the original model does not use it. It could be that this also introduces numerical differences that could affect the sign-based attacks, but I have not tested it in detail.

[beat-buesser]

@KarthikGanesan88 Oh, I see, that makes sense. I thought your code was slower. The current fit loop in PyTorchClassifier is not using data loaders, for example, which is likely a source of the delays, also the shuffling should be improved.

Would you be interested to update the training loop in PyTorchClassifier.fit with your code?

[KarthikGanesan88]

@beat-buesser Yes, that makes sense. I don't have to manually move the data to the GPU, the dataloader handles that for me so maybe in the case of ART this is done for each input, which makes it slower.

Would you be interested to update the training loop in PyTorchClassifier.fit with your code?

Do you mean updating it for my own experiments? No, for now I'm OK to train the model in PyTorch and just use ART for checking attacks. Or do you mean change the code for ART? I'm really no expert with python or ART or anything like that! Like I said, my background is computer hardware so I wouldn't feel super comfortable making changes to a library like ART. I would just be worried about breaking something somewhere!

[beat-buesser]

@KarthikGanesan88 Yes, I mean as contribution in a pull request to ART. No worries, there is not chance to break anything, you code is well tested and we'll test it again. I would be happy to provide support and guide you through the steps, but only if you like and have time.

It would basically replace lines 382-414 in PyTorchClassifier.fit() with your lines 17-51 with some adaptations to use the provided x instead of loading data from disk, etc.

[KarthikGanesan88]

@beat-buesser OK. It seems like there is a robust process for git pull requests so I can give that a try!

But I'm not sure what would be the right change(s) to make. The big thing I see is that ART uses numpy arrays throughout but PyTorch uses tensors everywhere. So when using GPU, numpy arrays would have to be copied to tensors and moved to the appropriate device. So switching things to use tensors instead should alleviate this bottleneck. But I feel like that's a much bigger change since numpy arrays are used throughout ART.

So just to fix the speed issue with PyTorchClassifier.fit() I can try to convert all the data to tensors and put it on the right device at the start so it avoids any copy overhead (mainly from lines 392-393 in PyTorchClassifier.fit() I feel.

[beat-buesser]

@KarthikGanesan88 That's great! Let me know anytime if you have questions.

Yes, that's exactly the idea: PyTorchClassifier.fit() will receive data in argument x and optionally y as np.ndarray, but starting from line 382 we are free to transform them into torch.tensors, apply dataloaders, etc. as long as the changes stay inside fit()