adversarial-attacks-pytorch icon indicating copy to clipboard operation
adversarial-attacks-pytorch copied to clipboard

Published 20 hours ago verified publisher icon Harry24k

CW efficiency improvement and bug fix, add CW binary search version, early stop PGD version, support `L0` and `Linf` for CW and CWBS, rewrite FAB attack, fix MI-FGSM bug, rewrite JSMA.

Open rikonaka opened this issue 8 months ago • 11 comments

PR Type and Checklist

What kind of change does this PR introduce?

  • [x] FIX BUG
    • [x] CW attack calculation real error.
    • [x] Fix the other calculation error when logits are all negative numbers. Thanks to @ZaberKo for providing suggestions.
    • [x] Move CWL2 to CW, thanks to @Adversarian suggestions 😉.
    • [x] MI-FGSM code does have some problems with the code logic https://github.com/Harry24k/adversarial-attacks-pytorch/issues/182
  • [x] ADD ATTACK
    • [x] Add CWBS (binary search version of CW)
    • [x] Add L0 and Linf for CW.
    • [x] Add ESPGD (Early-Stopped PGD Version from paper Attacks Which Do Not Kill Training Make Adversarial Learning Stronger https://arxiv.org/abs/2002.11242).
  • [x] Other... Please describe:
    • [x] No longer use robustbench for automated testing because of the unpredictable variety of bugs, https://github.com/Harry24k/adversarial-attacks-pytorch/issues/166, https://github.com/RobustBench/robustbench/issues/165, https://colab.research.google.com/drive/1M8zINns6rEFd09_wzhDvDvcktbffXn7D?usp=sharing, https://github.com/Harry24k/adversarial-attacks-pytorch/actions/runs/7707665395/job/21005241730?pr=168
    • [x] Re-write FAB attack (the old FAB code is rename as AFAB), https://github.com/Harry24k/adversarial-attacks-pytorch/issues/179 , the previous FAB code does not accomplish the targeted attack. There is a bug in the original FAB code for L1, and the code attack success rate of L2 attack is 0.
    • [x] Rewrite the EAD algorithm to make the code logically closer to the CW algorithm (they are essentially one and the same).
    • [x] Rewrite the whole code for JSMA attack, try to fix the memory problem in ImageNet https://github.com/Harry24k/adversarial-attacks-pytorch/issues/187, but this is an impossible task, for reasons explained in ISSUES.
    • [x] Restrict numpy to versions lower than 2.0

CW attack fix

There is an obscure bug in the original CW attack code F function.

In CW original code from Carlini, the real is calculate as

other

https://github.com/carlini/nn_robust_attacks/blob/c6b8f6a254e82a79a52cfbc673b632cad5ea1ab1/l2_attack.py#L96

It was a sum, but in torchattacks, it become max, I discovered this problem accidentally 😋.

https://github.com/Harry24k/adversarial-attacks-pytorch/blob/936e86d6387ef5ca57e4114d83745cdf199b46cf/torchattacks/attacks/cw.py#L136

I also reduced the large number of tensor detech() operations and view() operations in the original code, instead used index to assign tensors, its more simple and efficiency.

At the same time, I also added the binary search version of CW (CWBS), issues https://github.com/Harry24k/adversarial-attacks-pytorch/issues/167 . Binary search can indeed significantly reduce the size of the perturbations. The red line is the value of best_L2.

best_L2

I tested three cw attack algorithms L0, L2 and Linf and found that 100% attack success rate can be achieved on 50 test images.

attack rate

And its pertubations is still invisible.

show

FAB attack fix

The original FAB code was too complicated and difficult to maintain, so I rewritten the FAB attack and split L1, L2 attacks into separate files, and I found that previous FAB code when the user specifies a target label, it does not work good with the target attack.

The old FAB code is rename as AFAB so that it could be used in autoattack.

In the FAB code forward() function

https://github.com/Harry24k/adversarial-attacks-pytorch/blob/23620a694a3660e4f194c3e4d28992bced7785a1/torchattacks/attacks/fab.py#L84

There are no parameters for the target label, in contrast, the FAB target attack requires both labels, one for the original label and the other for the target label.

https://github.com/Harry24k/adversarial-attacks-pytorch/blob/23620a694a3660e4f194c3e4d28992bced7785a1/torchattacks/attacks/fab.py#L127

But there is only one label entered in the entire code. If the user wants to specify the target label to be used for the attack, since there is only one label input, the computation of the code related to the target attack will actually be meaningless.

https://github.com/Harry24k/adversarial-attacks-pytorch/blob/23620a694a3660e4f194c3e4d28992bced7785a1/torchattacks/attacks/fab.py#L132

For example, here la=la_target, then diffy here is meaningless.

~~I'll try to fix this, but don't have any clue at the moment because we need to enter two labels for the attack, which conflicts with the existing framework. So first submitted the FAB attack without the target attack version now.~~

FAB target attack has been completed.

rikonaka avatar Nov 12 '23 17:11 rikonaka