Stable Neural ODE with Lyapunov-Stable Equilibrium Points for Defending Against Adversarial Attacks.
Qiyu Kang, Yang Song, Qinxu Ding, Wee Peng Tay
- OS: Ubuntu 18.04
- GPU: RTX 2080 Ti, RTX a5000, RTX 3090
- Cuda: 11.1 or 10.2
- Python: >=3.6
- PyTorch: >= 1.6.0
- Torchvision: >= 0.7.0
- pip install git+https://github.com/Lezcano/geotorch.git@0.2.0
- pip install torchdiffeq
- pip install git+https://github.com/RobustBench/robustbench.git
Training code is now added to Rebuffi2021Fixing_70_16_cutmix_extra.
It seems git lfs is not working very well. The checkpoints can also be found here.
In this section, we show compatibility of SODEF using TRADES:
We append our SODEF after TRADES net to improve the model robustness against adversarial attacks. TRADES works as the feature extractor as in our paper. Please note TRADES weights are kept fixed during the training. We use the pretrained model provided by TRADES Repo.
| Attack / Model | TRADES ℒ∞ | TRADES+SODEF ℒ∞ | TRADES ℒ2 | TRADES+SODEF ℒ2 |
|---|---|---|---|---|
| Clean | 85.48 | 85.18 | 85.48 | 85.18 |
| APGDCE | 56.08 | 70.90 | 61.74 | 74.35 |
| APGDDLRT | 53.70 | 64.15 | 59.22 | 68.55 |
| FABT | 54.18 | 82.92 | 60.31 | 83.15 |
| Square | 59.12 | 62.21 | 72.65 | 76.02 |
| AutoAttack | 53.69 | 57.76 | 59.42 | 67.75 |
Tab 1. Classification accuracy (%) using TRADES (w/ and w/o SODEF) under AutoAttack on adversarial CIFAR10 examples with ℒ2 norm (ϵ = 0.5) and ℒ∞ norm (ϵ = 8/255).
Transfer attack:
Classification accuracy for adv examples generated from original pretrained model using AA ℒ∞ (ϵ = 8/255) attacks : 61.94%.
cd trades_r
python sodef_eval_ode.pycd trades_r
sodef_eval_transfer.ipynbIn this section, we show compatibility of SODEF using Rebuffi2021:
Similar to the above section, we append SODEF after the pretrained model provided by the RobustBench with keywords "Rebuffi2021Fixing_70_16_cutmix_extra". The weights are kept fixed during the training except the final FC layer. The pretrained model without SODEF achieves 66.58% accuracy under AutoAttack. We show that with SODEF, the robust accuracy could be improved to over 70%:
| Attack / Model | Rebuffi2021 | Rebuffi2021+SODEF | Transfer Attack |
|---|---|---|---|
| Clean | 92.23 | 93.73 | NA |
| AutoAttack | 66.58 | 71.28 | 73.38 |
Tab 2. Classification accuracy (%) using (w/ and w/o SODEF) under AutoAttack on adversarial CIFAR10 examples with ℒ∞ norm (ϵ = 8/255).
Here again for the transfer attack, adv examples are generated from original pretrained model using AA ℒ∞ (ϵ = 8/255) attacks. We will report results under each individual attack as in Tab 1. soon.
cd Rebuffi2021Fixing_70_16_cutmix_extra
python sodef_eval_ode.pycd Rebuffi2021Fixing_70_16_cutmix_extra
python sodef_eval_transfer.py or sodef_eval_transfer.ipynb