search

bethgelab / foolbox

A Python toolbox to create adversarial examples that fool neural networks in PyTorch, TensorFlow, and JAX
https://foolbox.jonasrauber.de
MIT License
2.73k stars 425 forks source link

how to define the bounds #703

Closed guomanshan closed 12 months ago

guomanshan commented 1 year ago

I trained the model with normalized image, and when attacking the model should I use the training dataset and normalize the image in the same way? Should the bounds be (0,1)? actually after normalization the pixel value of image data is between -3 and 3. Should the bounds be (-3,3)?

volmodaoist commented 1 year ago

Hey~Guy, I meet this problem too. Now I solved it:

fmodel = PyTorchModel(model, bounds = (0, 1), preprocessing = dict(mean = mean, std = std)) 
 epsilons = [0.01, 0.03, 0.1, 0.3, 0.5]
    cnt, total = torch.zeros(len(epsilons)).to(device),\
                 torch.zeros(len(epsilons)).to(device)

    correct = torch.zeros(len(epsilons)).to(device)

    for _, (images, labels) in enumerate(eval_loader):
        images = images.to(device)
        labels = labels.to(device)

        images = images * std[:, None, None] + mean[:, None, None]

        _, advs_list, success = attack(fmodel, images, labels, epsilons = epsilons)
        cnt += success.sum(axis = 1)
        total += images.shape[0]

        for i, advs in enumerate(advs_list):
            preds = model(advs).argmax(dim=1)
            correct[i] += (preds == labels).sum().item()  # Compute accuracy for each epsilon

    print(f"Success rate vector: {cnt / total}")
    print(f"Accuracy vector for each epsilon: {correct / total}")
zimmerrol commented 12 months ago

Closing this now as it appears to be resolved.