search

Harry24k / adversarial-attacks-pytorch

PyTorch implementation of adversarial attacks [torchattacks].
https://adversarial-attacks-pytorch.readthedocs.io/en/latest/index.html
MIT License
1.79k stars 337 forks source link

set_normalization_used #191

Open talrub opened 3 days ago

talrub commented 3 days ago

❔ Any questions

Hi,

According to attack.py line 501, it seems that if I perform atk.set_normalization_used(mean=[...], std=[...]) before applying the attack, the inputs will be denormalized (by self.inverse_normalize(inputs)). Can you explain why this is necessary? After all, I am training the model with normalized images, so why wouldn't we use the normalized images for the attack?

For example, for the MNIST dataset I am using:

def get_mnist_statistics(): train_set = torchvision.datasets.MNIST(root='./data', train=True, download=True, transform=transforms.ToTensor()) data = torch.cat([d[0] for d in DataLoader(train_set)]) return data.mean(dim=[0, 2, 3]), data.std(dim=[0, 2, 3])

mean, std = get_mnist_statistics() transform = transforms.Compose([transforms.ToTensor(), transforms.Normalize(mean, std), transforms.Lambda(lambda x: x.view(784, 1))]) trainset = torchvision.datasets.MNIST(root='./data', train=True, download=True, transform=transform )

rikonaka commented 2 days ago

The internal algorithm is built on input data between 0 and 1([0, 1]), so if you used normalization during training, we need to reduce it to the 0 to 1 interval for the internal algorithm to process it. There is actually no ambiguity here.

The first principle of program design is to have a unified input and output.

So the internal algorithm here defaults to a unified input of data in the range of 0 to 1, and there is no other meaning.