Nicholas Carlini
Nicholas Carlini
The effective robustness figure https://raw.githubusercontent.com/mlfoundations/open_clip/main/docs/effective_robustness.png only shows the old YFCC OpenCLIP Models. It would be great to show the new OpenCLIP Models on this same figure to both show (1)...
If you provide bash a command like "foo{0..5} bar{1..6}" it will expand each of the brace expansions separately, give you a list of length 10. Braceexpand will do the cross...
The JSMA untargeted attack selects the target class at random, a better result can be obtained by modifying the minimization objective to make the original class more-wrong instead of a...
Some datasets store, along with the image (and optional caption/label), an md5 hash of the image. For example, FaceScrub and PubFig do this. While recent datasets don't store hashes (and...
While the idea of adversarial training is straightforward—-generate adversarial examples during training and train on those examples until the model learns to classify them correctly—-in practice it is difficult to...
Despite the simplicity of the Fast Gradient Sign Method, it is surprisingly effective at generating adversarial examples on unsecured models. However, Table XIV reports the misclassification rate of FGSM at...
Table XIII states that on CIFAR-10 the R+FGSM attack was executed with eps=0.05 and alpha=0.05 whereas the README in the Attack module of the open source code gives eps=0.1 and...
The PGD (and BIM) implementation in this repository is significantly less effective than as reported in prior work. In Table XIV PGD (or BIM) appears to succeed 82.4% (or 75.6%)...
The JSMA implementation in this repository is significantly less effective than as reported in prior work. In Table XIV JSMA appears to succeed 76% of the time. When I run...
On at least two counts the paper choses l_infinity distortion bounds that are not well motivated. - Throughout the paper the report studies a CIFAR-10 distortion of eps=0.1 and eps=0.2....