Deepfool does not work well.

[hkthirano]

Deepfool does not work well.

Maybe because batch and x_adv[batch_index_1:batch_index_2] are eaual, overshoot parameter is zero.

# Apply overshoot parameter
x_adv[batch_index_1:batch_index_2] = x_adv[batch_index_1:batch_index_2] + \
    (1 + self.epsilon) * (batch - x_adv[batch_index_1:batch_index_2])

If we change it like this, it works well.

# art/attacks/deepfool.py

# Compute perturbation with implicit batching
for batch_id in range(int(np.ceil(x_adv.shape[0] / float(self.batch_size)))):
    batch_index_1, batch_index_2 = batch_id * self.batch_size, (batch_id + 1) * self.batch_size
    # batch = x_adv[batch_index_1:batch_index_2] 
    batch = x_adv[batch_index_1:batch_index_2].copy()

[beat-buesser]

Hi @hkthirano Thank you very much for using ART and asking this question! Could you please provide more information/code about how you define the ART classifier and your model? Does your model predict probabilities or logits?

[imTyrant]

@beat-buesser I agree with @hkthirano that there is a bug. batch is equal to x_adv[batch_index_1:batch_index_2] (line in here ) and operations on batch are in-place, which will cause x_adv2 will always be 0 (line in here).

# art/attacks/evasion/deepfool.py
100 : batch = x_adv[batch_index_1:batch_index_2]
....
142:  batch[active_indices] += r_var[active_indices]
... 
164:  x_adv2 = (1 + self.epsilon) * (batch - x_adv[batch_index_1:batch_index_2])