# Main Results

Evaluation against $L_p$ adversarial examples and adversarial frames.

Check `experiments/misc.py` for details on the used methods.

Make sure to set the paths and GPU id below:

In [None]:
import os
import sys
# Paths needs to point to the root of the repository!
sys.path.insert(1, os.path.abspath('') + '/../../')
from experiments.eval import misc
import torch
# Set the device to be used!
torch.cuda.set_device(0)
from IPython.display import display, Markdown

Configuration to load, i.e., dataset, and models to evaluate:

In [None]:
config_module = 'config.svhn'
config_training_variables = [
    'normal_training_check',
]
if config_module == 'config.mnist':
    config_training_variables += [
        # For MNIST:
        'adversarial_training_lr005_i40_half_momentum_backtrack_check',
        'confidence_calibrated_adversarial_training_lr001_ce_f7p_i40_random_momentum_backtrack_power2_10',
        'multi_steepest_descent',
    ]
elif config_module == 'config.svhn':
    config_training_variables += [
        # For SVHN:
        'adversarial_training_lr001_i40_half_momentum_backtrack_check',
        'confidence_calibrated_adversarial_training_ce_f7p_i40_random_momentum_backtrack_power2_10',
    ]
elif config_module == 'config.cifar10':
    config_training_variables += [
        # For Cifar10:
        'adversarial_training_lr0005_i40_half_momentum_backtrack_check',
        'confidence_calibrated_adversarial_training_ce_f7p_i40_random_momentum_backtrack_power2_10',
        'multi_steepest_descent',
    ]
else:
    assert False

Sets of attacks to evaluate; they are organized in groups in order to perform worst-case analysis:

In [None]:
config_attack_variables = []
linf_ours = misc.add_attacks(config_attack_variables, [
    #
    'normalized_zero_pgd_50_f7p_0001_momentum_backtrack',
    'normalized_pgd_50_f7p_0001_momentum_backtrack_10',
], 'l_inf ours')
linf_pgd = misc.add_attacks(config_attack_variables, [
    #
    'reference_pgd_10_005_50',
    'normalized_pgd_10_f0_005_momentum_backtrack_50',
    #
    'reference_pgd_10_005_10',
    'reference_pgd_10_005_10_b',
    'reference_pgd_10_005_10_c',
    'reference_pgd_10_005_10_d',
    'reference_pgd_10_005_10_e',
    'normalized_pgd_10_f0_005_momentum_backtrack_10',
    'normalized_pgd_10_f0_005_momentum_backtrack_10_b',
    'normalized_pgd_10_f0_005_momentum_backtrack_10_c',
    'normalized_pgd_10_f0_005_momentum_backtrack_10_d',
    'normalized_pgd_10_f0_005_momentum_backtrack_10_e',
], 'l_inf pgd')
linf_black = misc.add_attacks(config_attack_variables, [
    #
    'cube2_250_f7p_005',
    #
    'simple_50_f7p_10',
    #
    'geometry_f7p_50',
    #
    'zero_query_limited_50_f7p_0001_momentum_backtrack',
    'query_limited_50_f7p_0001_momentum_backtrack_10',
    #
    'random_50',
    'random_50_b',
    'random_50_c',
    'random_50_d',
    'random_50_e',
], 'l_inf black-box')
if config_module == 'config.mnist':
    linf_ours_6e3 = misc.add_attacks(config_attack_variables, [
        #
        'normalized_zero_pgd_50_f7p_0001_momentum_backtrack_4e3',
        'normalized_pgd_50_f7p_0001_momentum_backtrack_10_4e3',
    ], 'l_inf ours 4e3')
    linf_pgd_6e3 = misc.add_attacks(config_attack_variables, [
        #
        'reference_pgd_10_005_50_4e3',
        'normalized_pgd_10_f0_005_momentum_backtrack_50_4e3',
        #
        'reference_pgd_10_005_10_4e3',
        'reference_pgd_10_005_10_4e3_b',
        'reference_pgd_10_005_10_4e3_c',
        'reference_pgd_10_005_10_4e3_d',
        'reference_pgd_10_005_10_4e3_e',
        'normalized_pgd_10_f0_005_momentum_backtrack_10_4e3',
        'normalized_pgd_10_f0_005_momentum_backtrack_10_4e3_b',
        'normalized_pgd_10_f0_005_momentum_backtrack_10_4e3_c',
        'normalized_pgd_10_f0_005_momentum_backtrack_10_4e3_d',
        'normalized_pgd_10_f0_005_momentum_backtrack_10_4e3_e',
    ], 'l_inf pgd 4e3')
    linf_black_6e3 = misc.add_attacks(config_attack_variables, [
        #
        'cube2_250_f7p_005_4e3',
        #
        'simple_50_f7p_10_4e3',
        #
        'geometry_f7p_50_4e3',
        #
        'zero_query_limited_50_f7p_0001_momentum_backtrack_4e3',
        'query_limited_50_f7p_0001_momentum_backtrack_10_4e3',
        #
        'random_50_4e3',
        'random_50_4e3_b',
        'random_50_4e3_c',
        'random_50_4e3_d',
        'random_50_4e3_e',
    ], 'l_inf black-box 4e3')
else:
    linf_ours_6e3 = misc.add_attacks(config_attack_variables, [
        #
        'normalized_zero_pgd_50_f7p_0001_momentum_backtrack_6e3',
        'normalized_pgd_50_f7p_0001_momentum_backtrack_10_6e3',
    ], 'l_inf ours 6e3')
    linf_pgd_6e3 = misc.add_attacks(config_attack_variables, [
        #
        'reference_pgd_10_005_50_6e3',
        'normalized_pgd_10_f0_005_momentum_backtrack_50_6e3',
        #
        'reference_pgd_10_005_10_6e3',
        'reference_pgd_10_005_10_6e3_b',
        'reference_pgd_10_005_10_6e3_c',
        'reference_pgd_10_005_10_6e3_d',
        'reference_pgd_10_005_10_6e3_e',
        'normalized_pgd_10_f0_005_momentum_backtrack_10_6e3',
        'normalized_pgd_10_f0_005_momentum_backtrack_10_6e3_b',
        'normalized_pgd_10_f0_005_momentum_backtrack_10_6e3_c',
        'normalized_pgd_10_f0_005_momentum_backtrack_10_6e3_d',
        'normalized_pgd_10_f0_005_momentum_backtrack_10_6e3_e',
    ], 'l_inf pgd 6e3')
    linf_black_6e3 = misc.add_attacks(config_attack_variables, [
        #
        'cube2_250_f7p_005_6e3',
        #
        'simple_50_f7p_10_6e3',
        #
        'geometry_f7p_50_6e3',
        #
        'zero_query_limited_50_f7p_0001_momentum_backtrack_6e3',
        'query_limited_50_f7p_0001_momentum_backtrack_10_6e3',
        #
        'random_50_6e3',
        'random_50_6e3_b',
        'random_50_6e3_c',
        'random_50_6e3_d',
        'random_50_6e3_e',
    ], 'l_inf black-box 6e3')
l2_ours = misc.add_attacks(config_attack_variables, [
    #
    'l2_normalized_zero_pgd_50_f7p_0001_momentum_backtrack',
    'l2_normalized_pgd_50_f7p_0001_momentum_backtrack_5',
], 'l_2 ours')
l2_pgd = misc.add_attacks(config_attack_variables, [    #
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10',
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_b',
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_c',
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_d',
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_e',
], 'l_2 pgd')
l2_black = misc.add_attacks(config_attack_variables, [
    #
    'l2_cube2_250_f7p_005',
    'l2_geometry_f7p_50_check',
    #
    'l2_random_50',
    'l2_random_50_b',
    'l2_random_50_c',
    'l2_random_50_d',
    'l2_random_50_e',
], 'l_2 black-box')
l2_ours_6e3 = misc.add_attacks(config_attack_variables, [
    #
    'l2_normalized_zero_pgd_50_f7p_0001_momentum_backtrack_6e3',
    'l2_normalized_pgd_50_f7p_0001_momentum_backtrack_5_6e3',
], 'l_2 6e3 ours')
l2_pgd_6e3 = misc.add_attacks(config_attack_variables, [    #
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_6e3',
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_6e3_b',
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_6e3_c',
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_6e3_d',
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_6e3_e',
], 'l_2 6e3 pgd')
l2_black_6e3 = misc.add_attacks(config_attack_variables, [
    #
    'l2_cube2_250_f7p_005_6e3',
    'l2_geometry_f7p_50_6e3_check',
    #
    'l2_random_50_6e3',
    'l2_random_50_6e3_b',
    'l2_random_50_6e3_c',
    'l2_random_50_6e3_d',
    'l2_random_50_6e3_e',
], 'l_2 6e3 black-box')
l2_ours_9e3 = misc.add_attacks(config_attack_variables, [
    #
    'l2_normalized_zero_pgd_50_f7p_0001_momentum_backtrack_9e3',
    'l2_normalized_pgd_50_f7p_0001_momentum_backtrack_5_9e3',
], 'l_2 9e3 ours')
l2_pgd_9e3 = misc.add_attacks(config_attack_variables, [    #
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_9e3',
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_9e3_b',
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_9e3_c',
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_9e3_d',
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_9e3_e',
], 'l_2 9e3 pgd')
l2_black_9e3 = misc.add_attacks(config_attack_variables, [
    #
    'l2_cube2_250_f7p_005_9e3',
    'l2_geometry_f7p_50_9e3_check',
    #
    'l2_random_50_9e3',
    'l2_random_50_9e3_b',
    'l2_random_50_9e3_c',
    'l2_random_50_9e3_d',
    'l2_random_50_9e3_e',
], 'l_2 9e3 black-box')
l2_ours_12e3 = misc.add_attacks(config_attack_variables, [
    #
    'l2_normalized_zero_pgd_50_f7p_0001_momentum_backtrack_12e3',
    'l2_normalized_pgd_50_f7p_0001_momentum_backtrack_5_12e3',
], 'l_2 12e3 ours')
l2_pgd_12e3 = misc.add_attacks(config_attack_variables, [    #
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_12e3',
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_12e3_b',
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_12e3_c',
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_12e3_d',
    'l2_normalized_pgd_10_f0_005_momentum_backtrack_10_12e3_e',
], 'l_2 12e3 pgd')
l2_black_12e3 = misc.add_attacks(config_attack_variables, [
    #
    'l2_cube2_250_f7p_005_12e3',
    'l2_geometry_f7p_50_12e3_check',
    #
    'l2_random_50_12e3',
    'l2_random_50_12e3_b',
    'l2_random_50_12e3_c',
    'l2_random_50_12e3_d',
    'l2_random_50_12e3_e',
], 'l_2 12e3 black-box')
l1_ours_e12 = misc.add_attacks(config_attack_variables, [
    'l1_normalized_zero_pgd_50_f7p_05_momentum_backtrack_e12',
    'l1_normalized_pgd_50_f7p_05_momentum_backtrack_5_e12',    
], 'l_1 12 ours')
l1_pgd_e12 = misc.add_attacks(config_attack_variables, [
    #
    'l1_normalized_pgd_10_f0_05_momentum_backtrack_10_e12',
    'l1_normalized_pgd_10_f0_05_momentum_backtrack_10_e12_b',
    'l1_normalized_pgd_10_f0_05_momentum_backtrack_10_e12_c',
    'l1_normalized_pgd_10_f0_05_momentum_backtrack_10_e12_d',
    'l1_normalized_pgd_10_f0_05_momentum_backtrack_10_e12_e',
], 'l_1 12 pgd')
l1_black_e12 = misc.add_attacks(config_attack_variables, [
    'l1_geometry_f7p_50_e12_check',
    'l1_random_50_e12',
    'l1_random_50_e12_b',
    'l1_random_50_e12_c',
    'l1_random_50_e12_d',
    'l1_random_50_e12_e',
], 'l_1 12 black-box')
l1_ours_e18 = misc.add_attacks(config_attack_variables, [
    'l1_normalized_zero_pgd_50_f7p_05_momentum_backtrack_e18',
    'l1_normalized_pgd_50_f7p_05_momentum_backtrack_5_e18',    
], 'l_1 18 ours')
l1_pgd_e18 = misc.add_attacks(config_attack_variables, [
    #
    'l1_normalized_pgd_10_f0_05_momentum_backtrack_10_e18',
    'l1_normalized_pgd_10_f0_05_momentum_backtrack_10_e18_b',
    'l1_normalized_pgd_10_f0_05_momentum_backtrack_10_e18_c',
    'l1_normalized_pgd_10_f0_05_momentum_backtrack_10_e18_d',
    'l1_normalized_pgd_10_f0_05_momentum_backtrack_10_e18_e',
], 'l_1 18 pgd')
l1_black_e18 = misc.add_attacks(config_attack_variables, [
    'l1_geometry_f7p_50_e18_check',
    'l1_random_50_e18',
    'l1_random_50_e18_b',
    'l1_random_50_e18_c',
    'l1_random_50_e18_d',
    'l1_random_50_e18_e',
], 'l_1 18 black-box')
l1_ours_e24 = misc.add_attacks(config_attack_variables, [
    'l1_normalized_zero_pgd_50_f7p_05_momentum_backtrack_e24',
    'l1_normalized_pgd_50_f7p_05_momentum_backtrack_5_e24',    
], 'l_1 24 ours')
l1_pgd_e24 = misc.add_attacks(config_attack_variables, [
    #
    'l1_normalized_pgd_10_f0_05_momentum_backtrack_10_e24',
    'l1_normalized_pgd_10_f0_05_momentum_backtrack_10_e24_b',
    'l1_normalized_pgd_10_f0_05_momentum_backtrack_10_e24_c',
    'l1_normalized_pgd_10_f0_05_momentum_backtrack_10_e24_d',
    'l1_normalized_pgd_10_f0_05_momentum_backtrack_10_e24_e',
], 'l_1 24 pgd')
l1_black_e24 = misc.add_attacks(config_attack_variables, [
    'l1_geometry_f7p_50_e24_check',
    'l1_random_50_e24',
    'l1_random_50_e24_b',
    'l1_random_50_e24_c',
    'l1_random_50_e24_d',
    'l1_random_50_e24_e',
], 'l_1 24 black-box')
l0_ours = misc.add_attacks(config_attack_variables, [
    'l0_normalized_zero_pgd_50_f7p_250_momentum_backtrack',
    'l0_normalized_pgd_50_f7p_250_momentum_backtrack_5',
], 'l_0 ours')
l0_pgd = misc.add_attacks(config_attack_variables, [
    #
    'l0_normalized_pgd_10_f0_250_momentum_backtrack_10',
    'l0_normalized_pgd_10_f0_250_momentum_backtrack_10_b',
    'l0_normalized_pgd_10_f0_250_momentum_backtrack_10_c',
    'l0_normalized_pgd_10_f0_250_momentum_backtrack_10_d',
    'l0_normalized_pgd_10_f0_250_momentum_backtrack_10_e',
], 'l_0 pgd')
l0_black = misc.add_attacks(config_attack_variables, [
    #
    'l0_corner_search_f0_5',
    'l0_sigma_corner_search_f0_5',
    'l0_geometry_f7p_50_check',
    #
    'l0_random_50',
    'l0_random_50_b',
    'l0_random_50_c',
    'l0_random_50_d',
    'l0_random_50_e',
], 'l_0 black-box')
frames = misc.add_attacks(config_attack_variables, [
    'frames_50_f7p_001_5',
    'frames_10_f0_005_10',
    'frames_10_f0_005_10_b',
    'frames_10_f0_005_10_c',
    'frames_10_f0_005_10_d',
    'frames_10_f0_005_10_e',
], 'frames')

These are all individual evaluated attacks:

In [None]:
for i in range(len(config_attack_variables)):
    print(i, config_attack_variables[i])

In [None]:
config, training_configs, attack_configs = misc.module(config_module, config_training_variables, config_attack_variables)

Names of the models as used in the generated LaTeX tables; and groupings of attacks. Note that for the $L_p$ attacks with larger epsilons, attacks with smaller epsilons are included for proper evaluation.

In [None]:
config_training_names = [
    '\\Normal',
    '\\AdvTrain',
    '\\ConfTrain',
    '\\Wong',
]
if config_module == 'config.mnist':
    main_config_attack_groups = [
        linf_ours + linf_pgd + linf_black,
        linf_ours + linf_pgd + linf_black + linf_ours_6e3 + linf_pgd_6e3 + linf_black_6e3,
        l2_ours + l2_pgd + l2_black,
        l2_ours + l2_pgd + l2_black + l2_ours_6e3 + l2_pgd_6e3 + l2_black_6e3,
        #l2_ours + l2_pgd + l2_black + l2_ours_6e3 + l2_pgd_6e3 + l2_black_6e3 + l2_ours_12e3 + l2_pgd_12e3 + l2_black_12e3,
        l1_ours_e12 + l1_pgd_e12 + l1_black_e12,
        l1_ours_e12 + l1_pgd_e12 + l1_black_e12 + l1_ours_e18 + l1_pgd_e18 + l1_black_e18,
        #l1_ours_e12 + l1_pgd_e12 + l1_black_e12 + l1_ours_e18 + l1_pgd_e18 + l1_black_e18 + l1_ours_e24 + l1_pgd_e24 + l1_black_e24,
        l0_ours + l0_pgd + l0_black,
        frames,
    ]
    main2_config_attack_groups = [
        linf_ours + linf_pgd + linf_black,
        linf_ours + linf_pgd + linf_black + linf_ours_6e3 + linf_pgd_6e3 + linf_black_6e3,
        #l2_ours + l2_pgd + l2_black,
        l2_ours + l2_pgd + l2_black + l2_ours_6e3 + l2_pgd_6e3 + l2_black_6e3,
        #l2_ours + l2_pgd + l2_black + l2_ours_6e3 + l2_pgd_6e3 + l2_black_6e3 + l2_ours_12e3 + l2_pgd_12e3 + l2_black_12e3,
        #l1_ours_e12 + l1_pgd_e12 + l1_black_e12,
        l1_ours_e12 + l1_pgd_e12 + l1_black_e12 + l1_ours_e18 + l1_pgd_e18 + l1_black_e18,
        #l1_ours_e12 + l1_pgd_e12 + l1_black_e12 + l1_ours_e18 + l1_pgd_e18 + l1_black_e18 + l1_ours_e24 + l1_pgd_e24 + l1_black_e24,
        l0_ours + l0_pgd + l0_black,
        frames,
    ]
    supp_config_attack_groups = [
        linf_ours + linf_pgd + linf_black,
        linf_ours,
        linf_pgd,
        linf_black,
        linf_ours + linf_pgd + linf_black + linf_ours_6e3 + linf_pgd_6e3 + linf_black_6e3,
        linf_ours + linf_ours_6e3,
        linf_pgd + linf_pgd_6e3,
        linf_black + linf_black_6e3,
        l2_ours + l2_pgd + l2_black,
        l2_ours,
        l2_pgd,
        l2_black,
        l2_ours + l2_pgd + l2_black + l2_ours_6e3 + l2_pgd_6e3 + l2_black_6e3,
        l2_ours + l2_ours_6e3,
        l2_pgd + l2_pgd_6e3,
        l2_black + l2_black_6e3,
        #l2_ours + l2_pgd + l2_black + l2_ours_6e3 + l2_pgd_6e3 + l2_black_6e3 + l2_ours_12e3 + l2_pgd_12e3 + l2_black_12e3,
        #l2_ours + l2_ours_6e3 + l2_ours_12e3,
        #l2_pgd + l2_pgd_6e3 + l2_pgd_12e3,
        #l2_black + l2_black_6e3 + l2_black_12e3,
        l1_ours_e12 + l1_pgd_e12 + l1_black_e12,
        l1_ours_e12,
        l1_pgd_e12,
        l1_black_e12,
        l1_ours_e12 + l1_pgd_e12 + l1_black_e12 + l1_ours_e18 + l1_pgd_e18 + l1_black_e18,
        l1_ours_e12 + l1_ours_e18,
        l1_pgd_e12 + l1_pgd_e18,
        l1_black_e12 + l1_black_e12,
        #l1_ours_e12 + l1_pgd_e12 + l1_black_e12 + l1_ours_e18 + l1_pgd_e18 + l1_black_e18 + l1_ours_e24 + l1_pgd_e24 + l1_black_e24,
        #l1_ours_e12 + l1_ours_e18 + l1_ours_e24,
        #l1_pgd_e12 + l1_pgd_e18 + l1_pgd_e24,
        #l1_black_e12 + l1_black_e12 + l1_black_e24,
        l0_ours + l0_pgd + l0_black,
        l0_ours,
        l0_pgd,
        l0_black,
        frames,
    ]
    main_config_attack_names = [
        '\\begin{tabular}{@{}c@{}}$L_\\infty$\\\\$\\epsilon = %g$\\end{tabular}' % config.epsilon,
        '\\begin{tabular}{@{}c@{}}$L_\\infty$\\\\$\\epsilon = %g$\\end{tabular}' % (4./3.*config.epsilon if config_module == 'config.mnist' else 2*config.epsilon),
        '\\begin{tabular}{@{}c@{}}$L_2$\\\\$\\epsilon = %g$\\end{tabular}' % (config.l2_epsilon),
        '\\begin{tabular}{@{}c@{}}$L_2$\\\\$\\epsilon = %g$\\end{tabular}' % (2*config.l2_epsilon),
        #'\\begin{tabular}{@{}c@{}}$L_2$\\\\$\\epsilon = %g$\\end{tabular}' % (4*config.l2_epsilon),
        '\\begin{tabular}{@{}c@{}}$L_1$\\\\$\\epsilon = %g$\\end{tabular}' % 12,
        '\\begin{tabular}{@{}c@{}}$L_1$\\\\$\\epsilon = %g$\\end{tabular}' % 18,
        #'\\begin{tabular}{@{}c@{}}$L_1$\\\\$\\epsilon = %g$\\end{tabular}' % 24,
        '\\begin{tabular}{@{}c@{}}$L_0$\\\\$\\epsilon = %g$\\end{tabular}' % config.l0_epsilon,
        '\\begin{tabular}{@{}c@{}}adv.\\\\frames\\end{tabular}'
    ]
    main2_config_attack_names = [
        '\\begin{tabular}{@{}c@{}}$L_\\infty$\\\\$\\epsilon = %g$\\end{tabular}' % config.epsilon,
        '\\begin{tabular}{@{}c@{}}$L_\\infty$\\\\$\\epsilon = %g$\\end{tabular}' % (4./3.*config.epsilon if config_module == 'config.mnist' else 2*config.epsilon),
        #'\\begin{tabular}{@{}c@{}}$L_2$\\\\$\\epsilon = %g$\\end{tabular}' % (config.l2_epsilon),
        '\\begin{tabular}{@{}c@{}}$L_2$\\\\$\\epsilon = %g$\\end{tabular}' % (2*config.l2_epsilon),
        #'\\begin{tabular}{@{}c@{}}$L_2$\\\\$\\epsilon = %g$\\end{tabular}' % (4*config.l2_epsilon),
        #'\\begin{tabular}{@{}c@{}}$L_1$\\\\$\\epsilon = %g$\\end{tabular}' % 12,
        '\\begin{tabular}{@{}c@{}}$L_1$\\\\$\\epsilon = %g$\\end{tabular}' % 18,
        #'\\begin{tabular}{@{}c@{}}$L_1$\\\\$\\epsilon = %g$\\end{tabular}' % 24,
        '\\begin{tabular}{@{}c@{}}$L_0$\\\\$\\epsilon = %g$\\end{tabular}' % config.l0_epsilon,
        '\\begin{tabular}{@{}c@{}}adv.\\\\frames\\end{tabular}'
    ]
    supp_config_attack_names = [
        'Worst-Case ($L_\infty$, $\epsilon = %.2f$)' % config.epsilon,
        '\\PGD\\FConf ($L_\infty$, $\epsilon = %.2f$)' % config.epsilon,
        '\\PGD\\FCE ($L_\infty$, $\epsilon = %.2f$)' % config.epsilon,
        '\\BlackBox ($L_\infty$, $\epsilon = %.2f$)' % config.epsilon,
        #
        'Worst-Case ($L_\infty$, $\epsilon = %.2f$)' % (4./3.*config.epsilon if config_module == 'config.mnist' else 2*config.epsilon),
        '\\PGD\\FConf ($L_\infty$, $\epsilon = %.2f$)' % (4./3.*config.epsilon if config_module == 'config.mnist' else 2*config.epsilon),
        '\\PGD\\FCE ($L_\infty$, $\epsilon = %.2f$)' % (4./3.*config.epsilon if config_module == 'config.mnist' else 2*config.epsilon),
        '\\BlackBox ($L_\infty$, $\epsilon = %.2f$)' % (4./3.*config.epsilon if config_module == 'config.mnist' else 2*config.epsilon),
        #
        'Worst-Case($L_2$, $\epsilon = %g$)' % (config.l2_epsilon),
        '\\PGD\\FConf ($L_2$, $\epsilon = %g$)' % (config.l2_epsilon),
        '\\PGD\\FCE ($L_2$, $\epsilon = %g$)' % (config.l2_epsilon),
        '\BlackBox ($L_2$, $\epsilon = %g$)' % (config.l2_epsilon),
        #
        'Worst-Case($L_2$, $\epsilon = %g$)' % (2*config.l2_epsilon),
        '\\PGD\\FConf ($L_2$, $\epsilon = %g$)' % (2*config.l2_epsilon),
        '\\PGD\\FCE ($L_2$, $\epsilon = %g$)' % (2*config.l2_epsilon),
        '\BlackBox ($L_2$, $\epsilon = %g$)' % (2*config.l2_epsilon),
        #
        #'Worst-Case($L_2$, $\epsilon = %g$)' % (4*config.l2_epsilon),
        #'\\PGD\\FConf ($L_2$, $\epsilon = %g$)' % (4*config.l2_epsilon),
        #'\\PGD\\FCE ($L_2$, $\epsilon = %g$)' % (4*config.l2_epsilon),
        #'\BlackBox ($L_2$, $\epsilon = %g$)' % (4*config.l2_epsilon),
        #
        'Worst-Case ($L_1$, $\epsilon = %g$)' % 12,
        '\\PGD\\FConf ($L_1$, $\epsilon = %g$)' % 12,
        '\\PGD\\FCE ($L_1$, $\epsilon = %g$)' % 12,
        '\\BlackBox ($L_1$, $\epsilon = %g$)' % 12,
        #
        'Worst-Case ($L_1$, $\epsilon = %g$)' % 18,
        '\\PGD\\FConf ($L_1$, $\epsilon = %g$)' % 18,
        '\\PGD\\FCE ($L_1$, $\epsilon = %g$)' % 18,
        '\\BlackBox ($L_1$, $\epsilon = %g$)' % 18,
        #
        #'Worst-Case ($L_1$, $\epsilon = %g$)' % 24,
        #'\\PGD\\FConf ($L_1$, $\epsilon = %g$)' % 24,
        #'\\PGD\\FCE ($L_1$, $\epsilon = %g$)' % 24,
        #'\\BlackBox ($L_1$, $\epsilon = %g$)' % 24,
        #
        'Worst-Case ($L_0$, $\epsilon = %g$)' % config.l0_epsilon,
        '\\PGD\\FConf ($L_0$, $\epsilon = %g$)' % config.l0_epsilon,
        '\\PGD\\FCE ($L_0$, $\epsilon = %g$)' % config.l0_epsilon,
        '\\BlackBox ($L_0$, $\epsilon = %g$)' % config.l0_epsilon,
        #
        'Adversarial Frames',
    ]
else:
    # These are all attacks with all evaluated epsilon values.
    main_config_attack_groups = [
        linf_ours + linf_pgd + linf_black,
        linf_ours + linf_pgd + linf_black + linf_ours_6e3 + linf_pgd_6e3 + linf_black_6e3,
        l2_ours + l2_pgd + l2_black,
        l2_ours + l2_pgd + l2_black + l2_ours_6e3 + l2_pgd_6e3 + l2_black_6e3,
        l2_ours + l2_pgd + l2_black + l2_ours_6e3 + l2_pgd_6e3 + l2_black_6e3 + l2_ours_12e3 + l2_pgd_12e3 + l2_black_12e3,
        l1_ours_e12 + l1_pgd_e12 + l1_black_e12,
        l1_ours_e12 + l1_pgd_e12 + l1_black_e12 + l1_ours_e18 + l1_pgd_e18 + l1_black_e18,
        l1_ours_e12 + l1_pgd_e12 + l1_black_e12 + l1_ours_e18 + l1_pgd_e18 + l1_black_e18 + l1_ours_e24 + l1_pgd_e24 + l1_black_e24,
        l0_ours + l0_pgd + l0_black,
        frames,
    ]
    # These are the attacks actually presented in the main paper:
    main2_config_attack_groups = [
        linf_ours + linf_pgd + linf_black,
        linf_ours + linf_pgd + linf_black + linf_ours_6e3 + linf_pgd_6e3 + linf_black_6e3,
        #l2_ours + l2_pgd + l2_black,
        #l2_ours + l2_pgd + l2_black + l2_ours_6e3 + l2_pgd_6e3 + l2_black_6e3,
        l2_ours + l2_pgd + l2_black + l2_ours_6e3 + l2_pgd_6e3 + l2_black_6e3 + l2_ours_12e3 + l2_pgd_12e3 + l2_black_12e3,
        #l1_ours_e12 + l1_pgd_e12 + l1_black_e12,
        #l1_ours_e12 + l1_pgd_e12 + l1_black_e12 + l1_ours_e18 + l1_pgd_e18 + l1_black_e18,
        l1_ours_e12 + l1_pgd_e12 + l1_black_e12 + l1_ours_e18 + l1_pgd_e18 + l1_black_e18 + l1_ours_e24 + l1_pgd_e24 + l1_black_e24,
        l0_ours + l0_pgd + l0_black,
        frames,
    ]
    # These are the attacks as presented in the supplementary material:
    supp_config_attack_groups = [
        linf_ours + linf_pgd + linf_black,
        linf_ours,
        linf_pgd,
        linf_black,
        linf_ours + linf_pgd + linf_black + linf_ours_6e3 + linf_pgd_6e3 + linf_black_6e3,
        linf_ours + linf_ours_6e3,
        linf_pgd + linf_pgd_6e3,
        linf_black + linf_black_6e3,
        l2_ours + l2_pgd + l2_black,
        l2_ours,
        l2_pgd,
        l2_black,
        l2_ours + l2_pgd + l2_black + l2_ours_6e3 + l2_pgd_6e3 + l2_black_6e3,
        l2_ours + l2_ours_6e3,
        l2_pgd + l2_pgd_6e3,
        l2_black + l2_black_6e3,
        l2_ours + l2_pgd + l2_black + l2_ours_6e3 + l2_pgd_6e3 + l2_black_6e3 + l2_ours_12e3 + l2_pgd_12e3 + l2_black_12e3,
        l2_ours + l2_ours_6e3 + l2_ours_12e3,
        l2_pgd + l2_pgd_6e3 + l2_pgd_12e3,
        l2_black + l2_black_6e3 + l2_black_12e3,
        l1_ours_e12 + l1_pgd_e12 + l1_black_e12,
        l1_ours_e12,
        l1_pgd_e12,
        l1_black_e12,
        l1_ours_e12 + l1_pgd_e12 + l1_black_e12 + l1_ours_e18 + l1_pgd_e18 + l1_black_e18,
        l1_ours_e12 + l1_ours_e18,
        l1_pgd_e12 + l1_pgd_e18,
        l1_black_e12 + l1_black_e12,
        l1_ours_e12 + l1_pgd_e12 + l1_black_e12 + l1_ours_e18 + l1_pgd_e18 + l1_black_e18 + l1_ours_e24 + l1_pgd_e24 + l1_black_e24,
        l1_ours_e12 + l1_ours_e18 + l1_ours_e24,
        l1_pgd_e12 + l1_pgd_e18 + l1_pgd_e24,
        l1_black_e12 + l1_black_e12 + l1_black_e24,
        l0_ours + l0_pgd + l0_black,
        l0_ours,
        l0_pgd,
        l0_black,
        frames,
    ]
    # These are the attack names used in the generated LaTeX tables for main paper and appendix.
    main_config_attack_names = [
        '\\begin{tabular}{@{}c@{}}$L_\infty$\\\\$\\epsilon = %g$\\end{tabular}' % config.epsilon,
        '\\begin{tabular}{@{}c@{}}$L_\infty$\\\\$\\epsilon = %g$\\end{tabular}' % (4./3.*config.epsilon if config_module == 'config.mnist' else 2*config.epsilon),
        '\\begin{tabular}{@{}c@{}}$L_2$\\\\$\\epsilon = %g$\\end{tabular}' % (config.l2_epsilon),
        '\\begin{tabular}{@{}c@{}}$L_2$\\\\$\\epsilon = %g$\\end{tabular}' % (2*config.l2_epsilon),
        '\\begin{tabular}{@{}c@{}}$L_2$\\\\$\\epsilon = %g$\\end{tabular}' % (4*config.l2_epsilon),
        '\\begin{tabular}{@{}c@{}}$L_1$\\\\$\\epsilon = %g$\\end{tabular}' % 12,
        '\\begin{tabular}{@{}c@{}}$L_1$\\\\$\\epsilon = %g$\\end{tabular}' % 18,
        '\\begin{tabular}{@{}c@{}}$L_1$\\\\$\\epsilon = %g$\\end{tabular}' % 24,
        '\\begin{tabular}{@{}c@{}}$L_0$\\\\$\\epsilon = %g$\\end{tabular}' % config.l0_epsilon,
        '\\begin{tabular}{@{}c@{}}adv.\\\\frames\\end{tabular}'
    ]
    main2_config_attack_names = [
        '\\begin{tabular}{@{}c@{}}$L_\infty$\\\\$\\epsilon = %g$\\end{tabular}' % config.epsilon,
        '\\begin{tabular}{@{}c@{}}$L_\infty$\\\\$\\epsilon = %g$\\end{tabular}' % (4./3.*config.epsilon if config_module == 'config.mnist' else 2*config.epsilon),
        #'\\begin{tabular}{@{}c@{}}$L_2$\\\\$\\epsilon = %g$\\end{tabular}' % (config.l2_epsilon),
        #'\\begin{tabular}{@{}c@{}}$L_2$\\\\$\\epsilon = %g$\\end{tabular}' % (2*config.l2_epsilon),
        '\\begin{tabular}{@{}c@{}}$L_2$\\\\$\\epsilon = %g$\\end{tabular}' % (4*config.l2_epsilon),
        #'\\begin{tabular}{@{}c@{}}$L_1$\\\\$\\epsilon = %g$\\end{tabular}' % 12,
        #'\\begin{tabular}{@{}c@{}}$L_1$\\\\$\\epsilon = %g$\\end{tabular}' % 18,
        '\\begin{tabular}{@{}c@{}}$L_1$\\\\$\\epsilon = %g$\\end{tabular}' % 24,
        '\\begin{tabular}{@{}c@{}}$L_0$\\\\$\\epsilon = %g$\\end{tabular}' % config.l0_epsilon,
        '\\begin{tabular}{@{}c@{}}adv.\\\\frames\\end{tabular}'
    ]
    supp_config_attack_names = [
        'Worst-Case ($L_\infty$, $\epsilon = %.2f$)' % config.epsilon,
        '\\PGD\\FConf ($L_\infty$, $\epsilon = %.2f$)' % config.epsilon,
        '\\PGD\\FCE ($L_\infty$, $\epsilon = %.2f$)' % config.epsilon,
        '\\BlackBox ($L_\infty$, $\epsilon = %.2f$)' % config.epsilon,
        #
        'Worst-Case ($L_\infty$, $\epsilon = %.2f$)' % (4./3.*config.epsilon if config_module == 'config.mnist' else 2*config.epsilon),
        '\\PGD\\FConf ($L_\infty$, $\epsilon = %.2f$)' % (4./3.*config.epsilon if config_module == 'config.mnist' else 2*config.epsilon),
        '\\PGD\\FCE ($L_\infty$, $\epsilon = %.2f$)' % (4./3.*config.epsilon if config_module == 'config.mnist' else 2*config.epsilon),
        '\\BlackBox ($L_\infty$, $\epsilon = %.2f$)' % (4./3.*config.epsilon if config_module == 'config.mnist' else 2*config.epsilon),
        #
        'Worst-Case($L_2$, $\epsilon = %g$)' % (config.l2_epsilon),
        '\\PGD\\FConf ($L_2$, $\epsilon = %g$)' % (config.l2_epsilon),
        '\\PGD\\FCE ($L_2$, $\epsilon = %g$)' % (config.l2_epsilon),
        '\BlackBox ($L_2$, $\epsilon = %g$)' % (config.l2_epsilon),
        #
        'Worst-Case($L_2$, $\epsilon = %g$)' % (2*config.l2_epsilon),
        '\\PGD\\FConf ($L_2$, $\epsilon = %g$)' % (2*config.l2_epsilon),
        '\\PGD\\FCE ($L_2$, $\epsilon = %g$)' % (2*config.l2_epsilon),
        '\BlackBox ($L_2$, $\epsilon = %g$)' % (2*config.l2_epsilon),
        #
        'Worst-Case($L_2$, $\epsilon = %g$)' % (4*config.l2_epsilon),
        '\\PGD\\FConf ($L_2$, $\epsilon = %g$)' % (4*config.l2_epsilon),
        '\\PGD\\FCE ($L_2$, $\epsilon = %g$)' % (4*config.l2_epsilon),
        '\BlackBox ($L_2$, $\epsilon = %g$)' % (4*config.l2_epsilon),
        #
        'Worst-Case ($L_1$, $\epsilon = %g$)' % 12,
        '\\PGD\\FConf ($L_1$, $\epsilon = %g$)' % 12,
        '\\PGD\\FCE ($L_1$, $\epsilon = %g$)' % 12,
        '\\BlackBox ($L_1$, $\epsilon = %g$)' % 12,
        #
        'Worst-Case ($L_1$, $\epsilon = %g$)' % 18,
        '\\PGD\\FConf ($L_1$, $\epsilon = %g$)' % 18,
        '\\PGD\\FCE ($L_1$, $\epsilon = %g$)' % 18,
        '\\BlackBox ($L_1$, $\epsilon = %g$)' % 18,
        #
        'Worst-Case ($L_1$, $\epsilon = %g$)' % 24,
        '\\PGD\\FConf ($L_1$, $\epsilon = %g$)' % 24,
        '\\PGD\\FCE ($L_1$, $\epsilon = %g$)' % 24,
        '\\BlackBox ($L_1$, $\epsilon = %g$)' % 24,
        #
        'Worst-Case ($L_0$, $\epsilon = %g$)' % config.l0_epsilon,
        '\\PGD\\FConf ($L_0$, $\epsilon = %g$)' % config.l0_epsilon,
        '\\PGD\\FCE ($L_0$, $\epsilon = %g$)' % config.l0_epsilon,
        '\\BlackBox ($L_0$, $\epsilon = %g$)' % config.l0_epsilon,
        #
        'Adversarial Frames',
    ]
assert len(main_config_attack_names) == len(main_config_attack_groups), (len(main_config_attack_names), len(main_config_attack_groups))
assert len(main2_config_attack_names) == len(main2_config_attack_groups), (len(main2_config_attack_names), len(main2_config_attack_groups))
assert len(supp_config_attack_names) == len(supp_config_attack_groups), (len(supp_config_attack_names), len(supp_config_attack_groups))

Load model files and perturbation files; will check if all models and adversarial examples can be found:

In [None]:
model_files, model_epochs, perturbations_files, perturbations_epochs, new_config_training_variables, new_config_training_names = misc.load(training_configs, config_training_names, attack_configs)

Overview of models (their epochs) and the attacks (on which epoch they were computed):

In [None]:
display(Markdown(misc.epoch_table(model_epochs, perturbations_files, perturbations_epochs, config_training_names, attack_configs)))

In [None]:
clean_probabilities = misc.compute_clean_probabilities(model_files, config.testloader)

In [None]:
clean_evaluations = misc.compute_clean_evaluations(config, clean_probabilities)

Get probabilities on adversarial examples and setup the evaluations. The key part, i.e., worst-case evaluation happens in `misc.compute_adversarial_evaluations`!

In [None]:
adversarial_probabilities = misc.load_adversarial_probabilities(perturbations_files)
assert len(adversarial_probabilities) == len(clean_probabilities)

In [None]:
main_evaluations = misc.compute_adversarial_evaluations(config, perturbations_files, adversarial_probabilities, clean_probabilities, config_training_variables, config_attack_variables, main_config_attack_groups)

In [None]:
main2_evaluations = misc.compute_adversarial_evaluations(config, perturbations_files, adversarial_probabilities, clean_probabilities, config_training_variables, config_attack_variables, main2_config_attack_groups)

In [None]:
supp_evaluations = misc.compute_adversarial_evaluations(config, perturbations_files, adversarial_probabilities, clean_probabilities, config_training_variables, config_attack_variables, supp_config_attack_groups)

In [None]:
display(Markdown(misc.main_markdown_table(main_evaluations, config_training_names, main_config_attack_names, tpr='99')))

In [None]:
display(Markdown(misc.main_markdown_table(main2_evaluations, config_training_names, main2_config_attack_names, tpr='99')))

In [None]:
display(Markdown(misc.main_markdown_table(supp_evaluations, config_training_names, supp_config_attack_names, tpr='99')))

In [None]:
misc.main_latex_table(config, config_training_names, main_config_attack_names, main_evaluations, tpr='98')

In [None]:
misc.main_latex_table(config, config_training_names, main_config_attack_names, main_evaluations, tpr='99')

In [None]:
misc.main2_latex_table(config, config_training_names, main2_config_attack_names, main2_evaluations, tpr='98')

In [None]:
misc.main2_latex_table(config, config_training_names, main2_config_attack_names, main2_evaluations, tpr='99')

In [None]:
misc.supp_latex_table(config, config_training_names, supp_config_attack_names, supp_evaluations, tpr='99')