Attacking randomized smoothing aims to find the perturbation that fools the following noising and voting operations of randomized smoothing most.
Implementations including L2 and Linf are based on the idea of Provably Robust Deep Learning via Adversarially Trained Smoothed Classifiers.
This code is based on these resources:
Note: Applying EOT startegy for PGD attack when inference involving randomness, but why?
It becomes a two-stage stochastic programming problem, and the solution is Sample Average Approximation (SAA).
- torchattacks