search

Trustworthy-AI-Group / TransferAttack

TransferAttack is a pytorch framework to boost the adversarial transferability for image classification.
MIT License
268 stars 41 forks source link

Questionable init_delta in transferattack/attack.py #54

Closed XinzeZhang closed 5 months ago

XinzeZhang commented 5 months ago

Thanks for providing this useful work. The function of init_delta in transferattack/attack.py seems questionable. https://github.com/Trustworthy-AI-Group/TransferAttack/blob/a81bee4992dbbec0c3a17f10fc46916640b12d78/transferattack/attack.py#L130-L143 According to the random start defined in the paper ''Tramèr et al. Ensemble Adversarial Training: Attacks and Defenses. ICLR 2018'', delta may be initialized by N(0,1). Thus, why the uniform is used in L125? Does this refer to https://github.com/MadryLab/mnist_challenge/blob/3ee3643c4a8c59458d8c191b84027f4a6cbd9580/pgd_attack.py#L43-L48 ?

And, the L136 also seems problematic, which may be delta.normal_(). Besides, why the norm scalernis constrained withdim=10` in L138?

If there are indeed bugs, I'm happy to create a PR as

    def init_delta(self, data, **kwargs):
        delta = torch.zeros_like(data).to(self.device)
        if self.random_start:
            if self.norm == 'linfty':
                delta.uniform_(-self.epsilon, self.epsilon)
            else:
                delta.normal_()
                n = torch.norm(delta.view(delta.size(0), -1), dim=1).view(-1, 1, 1, 1)
                r = torch.zeros_like(data).uniform_(0,1).to(self.device)
                delta *= r/n*self.epsilon
            delta = clamp(delta, img_min-data, img_max-data)
        delta.requires_grad = True
        return delta
xiaosen-wang commented 5 months ago

Yes, it is a bug in the l2 attack. We have fixed it as you suggested. Thanks.