Open machanic opened 4 years ago
Yes. In our code, we use the scaled range [-0.5, 0.5] as a valid image pixel range (applies to both adversarial and unperturbed images), which makes the tanh transformation expression more succinct than the scaled range [0,1].
the atanh function helps to convert the [-0,5,0.5] range to a real-valued range via the change-of-variable technique and hence unconstrained optimization solvers can be applied to find adversarial examples, which is first used and explained in the Carlini-Wagner paper (see https://arxiv.org/abs/1608.04644)
@pinyuchen I am re-implementing your code into pytorch version, where I use pixel range as [0,1]. However, I think in this case I cannot use arctanh
, how to do that convert (maths formula?)? Can you help me.
I will open source my pytorch version of AutoZOOM attack
I mean the input data is already pre-processed into [0,1] range in my pytorch code.
If your image range is [0,1], since atanh takes input with range [-1,1], you can modify the code by img = np.arctanh((img-0.5)*1.999999), where img of the right-hand-side is now within the range [0,1]. Note that since your scale is different than ours, there might be other parts that need to be modified as well.
@pinyuchen Because I change the image range to [0,1], I found all parts which I need to modify:
Related to tanh
https://github.com/IBM/Autozoom-Attack/blob/master/blackbox_attack.py#L122
https://github.com/IBM/Autozoom-Attack/blob/master/blackbox_attack.py#L142
https://github.com/IBM/Autozoom-Attack/blob/master/blackbox_attack.py#L222
Q: How to deal with tf.tanh
as above shown line? Can I delete all the tanh and arctanh code? I read the C&W paper, it said the tanh helps to convert range to (0,1)?
Related to self.modifier_up
and self.modifier_down
:
https://github.com/IBM/Autozoom-Attack/blob/master/blackbox_attack.py#L232
https://github.com/IBM/Autozoom-Attack/blob/master/blackbox_attack.py#L124
Q: Can I just change self.modifier_up = 0.5 - img.reshape(-1)
to self.modifier_up = 1.0 - img.reshape(-1)
, and change self.modifier_down = -0.5 - img.reshape(-1)
to self.modifier_down = 0 - img.reshape(-1)
?
If you don't want to implement this feature, you can simply delete them. tanh
works on [-1, 1]. You can do conversion to any other range after applying the function.
Yes, these two variables specify the upper/lower bound of the noise allowed.
@chunchentu I still want to add the tanh
functionality to fully support the original version.
I want to ask another question: If I use the tanh mode, is this means that during training the auto-encoder(AE), the input image(also the ground truth) of AE must be converted to arctanh
space.
Because I notice that https://github.com/IBM/Autozoom-Attack/blob/master/blackbox_attack.py#L122 which means the self.img_modifier
produced by AE is in arctanh
space.
This implies that the training ground truth natural image of AE must be converted to arctanh
space before learning AE.
We note that the black-box classifer takes input data range from [-0.5,0.5]. So for AE training the input data should still be within the same range. Also, the decoder's output is real-valued and not condined in [-0.5,0.5]
@chunchentu Sorry, Maybe I didn't express my thought clearly. My question is very simple. If I set tanh=True
, I mean whether should I call np.arctanh((img-0.5)*1.999999)
on the input image (and which is also the ground-truth) , resulting a arctanh
space's image for input and training Auto Encoder?
This is https://github.com/IBM/Autozoom-Attack/blob/master/blackbox_attack.py#L222 in your code.
Besides, can you provide me more details about how to train AE? SGD optimizer? how many epochs? learning rate = ? Thank you very much, I am re-implementing your code into pytorch can you help me.
We used SGD with lr=0.01 with 1000 epochs. Please note that even if you the same parameters, you might not get the exact same numbers due to a lot of other uncontrollable factors.
No, we didn't convert to archtanh in our implementation as it did not make large difference.
@machanic, did you ever finish the re-implementation in Pytorch? If so I would really like to try it out.
@joeybose I have finished it, if you want the code, I can email to you. please give the email to me
Awesome, I would love to connect my email is: joey.bose@mail.mcgill.ca, thank you so much again.
autozoom_attack.zip This is the pytorch version of autozoom attack. However, the training part of auto-encoder is not provided by the author of paper, so I reimplemented this part using my thought. You can debug and try to fix this part.
awesome! Can you give a few canonical commands to run it? Also, were your implementation results similar?
@joeybose the attack's process and the code exactly follows the tensorflow version, you can read the code and run it by yourself. However, the training part of auto-encoder is not provided by the author of paper, so I reimplemented this part based on my thought. you can fix this part. If you have questions, please contact me through email.
All other attack algorithms use [0, 1] range. But in your code : https://github.com/IBM/Autozoom-Attack/blob/master/setup_cifar.py#L55 You use
(img/255)-.5
to bound to [-0.5, 0.5] range. Why? Does this means the generated adversarial image also uses [-0.5, 0.5] range?