kieranfraser
commented
1 year ago Created adversarial patches using each framework, keeping data, model and hyper parameters fixed (as far as possible).
Model: Resnet50 (torchvision and keras) target_name = 'goldfish, Carassius auratus' image_shape = (3, 224, 224) or (224, 224, 3) clip_values = (0, 1) or (0, 255) nb_classes = 1000 batch_size = 16 scale_min = 0.4 scale_max = 1.0 rotation_max = 22.5 learning_rate = 5000. max_iter = 500
All patches are effective and have some small discrepancies between each other visually, but not alarmingly so. Also able to generate an adversarial patch using AdversarialPatchPyTorch at full image size (3, 224, 224).
Notebooks with generated patches for each framework:
I have received an external anonymous report form a user of ART that there seems to be a discrepancy among the Numpy, TensorFlow and PyTorch versions of the Adversarial Patch attack.
Experiment generating three patches using the same data and hyperparamters and the same models as much as possible but slighlty different model parameters because they were trained in their respective frameworks.
All patches generated are effective when applied but the patches generated by
AdversarialPAtchPyTorchgenerates patches that look different compared to the other two patchesIt looks like the
AdversarialPatchPyTorchpatch is in a different domain than the other two patches because it show no gray pixels and has significantly more primary colours. TheAdversarialPatchPyTorchattack does not generate the patch at full image size and returns a gray patch instead for this scale.