volmodaoist
commented
1 year ago Hey~Guy, I meet this problem too. Now I solved it:
fmodel = PyTorchModel(model, bounds = (0, 1), preprocessing = dict(mean = mean, std = std))
epsilons = [0.01, 0.03, 0.1, 0.3, 0.5]
cnt, total = torch.zeros(len(epsilons)).to(device),\
torch.zeros(len(epsilons)).to(device)
correct = torch.zeros(len(epsilons)).to(device)
for _, (images, labels) in enumerate(eval_loader):
images = images.to(device)
labels = labels.to(device)
images = images * std[:, None, None] + mean[:, None, None]
_, advs_list, success = attack(fmodel, images, labels, epsilons = epsilons)
cnt += success.sum(axis = 1)
total += images.shape[0]
for i, advs in enumerate(advs_list):
preds = model(advs).argmax(dim=1)
correct[i] += (preds == labels).sum().item() # Compute accuracy for each epsilon
print(f"Success rate vector: {cnt / total}")
print(f"Accuracy vector for each epsilon: {correct / total}")
zimmerrol
I trained the model with normalized image, and when attacking the model should I use the training dataset and normalize the image in the same way? Should the bounds be (0,1)? actually after normalization the pixel value of image data is between -3 and 3. Should the bounds be (-3,3)?