Why deepfool generate adversarial data so slowly?

Harry24k / adversarial-attacks-pytorch

PyTorch implementation of adversarial attacks [torchattacks]

https://adversarial-attacks-pytorch.readthedocs.io/en/latest/index.html

MIT License

1.86k stars 348 forks source link

Why deepfool generate adversarial data so slowly? #74

Closed muyuuuu closed 2 years ago

muyuuuu commented 2 years ago

As shown in title, I use torchattacks.DeepFool(model) to generate attack data about cifar100 trainset, batch size is 512 and had run in Tesla P40 20 hours. But no results, is it normally? here is code:

def gene_data_flow(dataloader, device, atk_method):
    adv_images = None
    adv_label = None
    for idx, data in enumerate(dataloader):
        x, y = data
        x = x.to(device)
        y = y.to(device)
        if adv_images is None:
            adv_images = atk_method(x, y).detach().cpu().numpy()
        else:
            a = atk_method(x, y).detach().cpu().numpy()
            adv_images = np.append(adv_images, a, axis=0)
        if adv_label is None:
            adv_label = y.detach().cpu().numpy()
        else:
            adv_label = np.append(adv_label, y.detach().cpu().numpy(), axis=0)
    return adv_images, adv_label

YeiSimon commented 2 years ago

I think whether your parameters was chosen too large. You could look at the paper about Deepfool's parameters. take care!

muyuuuu commented 2 years ago

I think whether your parameters was chosen too large. You could look at the paper about Deepfool's parameters. take care!

I use the default parameters:

https://github.com/Harry24k/adversarial-attacks-pytorch/blob/6dbe9155b0ba6ff966f2d484366c13fcbf80e38d/torchattacks/attacks/deepfool.py#L29

maybe infinite loop in here?:

https://github.com/Harry24k/adversarial-attacks-pytorch/blob/6dbe9155b0ba6ff966f2d484366c13fcbf80e38d/torchattacks/attacks/deepfool.py#L52

Harry24k commented 2 years ago

The reason why DeepFool takes a longer time than other methods is that it requires Jacobian matrix for generating adversarial examples as follows: https://github.com/Harry24k/adversarial-attacks-pytorch/blob/6dbe9155b0ba6ff966f2d484366c13fcbf80e38d/torchattacks/attacks/deepfool.py#L76 Unfortunately, this procedure is not supported as batch-wise computation by PyTorch. I recommend using other methods when attacking large-scale models.

muyuuuu commented 2 years ago

Unfortunately, this procedure is not supported as batch-wise computation by PyTorch. I recommend using other methods when attacking large-scale models.

Thank U!

mvandenhi commented 2 years ago

@muyuuuu What I think you could do is make the algorithm targeted. I.e. instead of finding the class with the closest boundary you could approximate this by the class with the second highest logit. Then you just need to compute one gradient (of the difference) so you can parallelize this computation for the whole batch without running into memory problems. For better approximation you may take eg the top 5 logits and determine the closest hyperplane.