perceptual-advex icon indicating copy to clipboard operation
perceptual-advex copied to clipboard

Published 20 hours ago verified publisher icon cassidylaidlaw

Robust Accuracy of StAdv Model

Open pratyushmaini opened this issue 3 years ago • 7 comments

Hi, according to Table 2, (AT StAdv) model achieves >50% accuracy against StAdv attacks (bound = 0.05). I used the pre-trained models provided (stadv_0.05.pt) but got a robust accuracy of around ~40%. Can you confirm if this is indeed the case?

Thanks!

pratyushmaini avatar May 18 '21 19:05 pratyushmaini

Hi, I looked back at the evaluation output and it looks like our evaluation did give a robust accuracy of 53.9% to that model. What exact parameters are you using for the attack? I can also re-run the evaluation and make sure the models didn't get mixed up or something.

cassidylaidlaw avatar May 19 '21 15:05 cassidylaidlaw

Hey, To get the model I used: dataset, model = get_dataset_model( dataset='cifar', arch='resnet50', checkpoint_fname='cifar/stadv_0.05.pt', ) And to test the model I used: attack = StAdvAttack( model, bound=0.05, )

I tried to follow the sample code in the starter notebook.

pratyushmaini avatar May 19 '21 16:05 pratyushmaini

Hey, sorry for the slow response. By default, StAdv uses 20 iterations but we evaluated with 100 for the PAT paper. It looks like the StAdv attack may actually be less strong when using more iterations, which would explain the discrepancy. I believe this is because it uses a penalty term on the "smoothness" of the perturbation. Using more iterations of optimization could thus improve the smoothness but reduce the effectiveness of the attack. Hopefully the community can find better spatial attacks more suited to benchmarking. I'm currently evaluating the model you evaluated using StAdv with only 20 iterations to see if I get the same results.

cassidylaidlaw avatar May 25 '21 01:05 cassidylaidlaw

Just confirmed that using only 20 iterations gives a robust accuracy for that model of 39.9%.

cassidylaidlaw avatar May 25 '21 01:05 cassidylaidlaw

Thanks for checking this. One fix could be to make an early stop on finding a successful example.

Can you confirm which of the following models did you use for the numbers in the table in the main paper: pat_alexnet_0.7.pt pat_alexnet_1.pt

pratyushmaini avatar May 26 '21 01:05 pratyushmaini

Can you also let me know where do you set the number of iterations?

pratyushmaini avatar May 26 '21 02:05 pratyushmaini

I'll look into the early stopping. I thought the library mister_ed which has the StAdv implementation was already doing it, but maybe there's a bug or something.

If you look in the README under evaluation, there are the exact attacks used for evaluation in the paper. For instance, these are the ones for CIFAR-10:

python evaluate_trained_model.py --dataset cifar --checkpoint /path/to/checkpoint.pt --arch resnet50 --batch_size 100 --output evaluation.csv \
"NoAttack()" \
"AutoLinfAttack(model, 'cifar', bound=8/255)" \
"AutoL2Attack(model, 'cifar', bound=1)" \
"StAdvAttack(model, num_iterations=100)" \
"ReColorAdvAttack(model, num_iterations=100)" \
"PerceptualPGDAttack(model, num_iterations=40, bound=0.5, lpips_model='alexnet_cifar', projection='newtons')" \
"LagrangePerceptualAttack(model, num_iterations=40, bound=0.5, lpips_model='alexnet_cifar', projection='newtons')"

You can see that the number of iterations is set using num_iterations=100.

The README file in the checkpoints zip file describes exactly which checkpoints were used for each table in the paper—let me know if that answers your question.

cassidylaidlaw avatar May 26 '21 13:05 cassidylaidlaw