Return image for each gradient step

[xerxes01]

I need to evaluate my model's defence on the perturbed images obtained by RPGD attack, however foolbox does not return the image in case the attack fails. Which specific module should be edited in order to return the failed adversarial sample?

[wielandbrendel]

I don't think you need the failed adversarial sample - that's just some image which is not adversarial, so I don't see why you would be interested in it. Are you generating adversarials on the undefended model and test on the defended one?

[xerxes01]

How do I then measure my model's defence accuracy, like they do it here : https://www.robust-ml.org/defenses/ . Or is that (the claims) just the inverse attack success rate (1-probability of outputting the adversarial target class)? I can't use robustml to evaluate as the dataset I use is isn't suppported by it.

[wielandbrendel]

Right - that's just the inverse attack success rate.

[xerxes01]

Oh Okay! Also is it the same for measuring defence on targeted attacks as well?

[wielandbrendel]

Sure.

[rufinv]

Sorry for butting in, I'm confused by this answer: isn't it possible for a targeted attack to fail, and yet the model would misclassify the perturbed image? (Say, original_class=dog, adversarial_target=car, model.predict(perturbed_image)=pizza?) In that case, model_accuracy is not (1-attack_success_rate)?

[wielandbrendel]

Well, you only perform a targeted attack if you define an adversarial as a perturbed image classified as the target class. Everything else is not adversarial and so you keep computing the adversarial success as before.

[xerxes01]

Got it! Thanks!