What is the difference between FGSM and BIM in the codes?(/FGSM seems to be an iterative method according to the codes)

advboxes / AdvBox

Advbox is a toolbox to generate adversarial examples that fool neural networks in PaddlePaddle、PyTorch、Caffe2、MxNet、Keras、TensorFlow and Advbox can benchmark the robustness of machine learning models. Advbox give a command line tool to generate adversarial examples with Zero-Coding.

Apache License 2.0

1.39k stars 265 forks source link

What is the difference between FGSM and BIM in the codes?(/FGSM seems to be an iterative method according to the codes) #69

Closed chenweixin107 closed 3 years ago

chenweixin107 commented 3 years ago

I know that theoretically, FGSM is a one-step attack while BIM is an iterative attack. BUT in the file /adversarialbox/attacks/gradient_method.py, the definition of Class FastGradientSignMethodTargetedAttack refers to (epsilon_steps=100,steps=10) while Class IterativeLeastLikelyClassMethodAttack refers to (steps=1000,epsilon_steps=1000). And I wonder how to imply that FGSM is a one-step attack with (epsilon_steps=100,steps=10),instead of (epsilon_steps=1,steps=1)? THX!

chenweixin107 commented 3 years ago

In the file gradient.py, there is a definition of Class FGSMSATTACK at the bottom which is the implementation of the one-step method--FGSM. However, the very first implementation of FGSM is actually an iterative version.