A mistake which may lead to performance degradation

cassidylaidlaw / perceptual-advex

Code and data for the ICLR 2021 paper "Perceptual Adversarial Robustness: Defense Against Unseen Threat Models".

https://arxiv.org/abs/2006.12655

MIT License

54 stars 9 forks source link

A mistake which may lead to performance degradation #6

Open kevinbro96 opened 3 years ago

kevinbro96 commented 3 years ago

https://github.com/cassidylaidlaw/perceptual-advex/blob/70af18f174a269ed17368116b41e59e10cad0195/perceptual_advex/perceptual_attacks.py#L623

We should update "perturbations" after we update "live". Otherwise, some samples which already meet the requirements will still be updated through https://github.com/cassidylaidlaw/perceptual-advex/blob/70af18f174a269ed17368116b41e59e10cad0195/perceptual_advex/perceptual_attacks.py#L633

kevinbro96 commented 3 years ago

You can try to replace line 612-627 in perceptual-advex/perceptual_advex/perceptual_attacks.py with the following:

            updates = torch.zeros_like(inputs)
            updates[live] = -grad_normed * (
                step_size / (dist_grads + 1e-8)
            )[:, None, None, None]

            if self.random_targets:
                live[live] = (adv_labels != labels[live]) | (lpips_dists > self.bound)
            else:
                live[live] = (adv_labels == labels[live]) | (lpips_dists > self.bound)
            if live.sum() == 0:
                break

            perturbations.data[live] = (
                (inputs[live] + perturbations[live] +
                 updates[live]).clamp(0, 1) -
                inputs[live]
            ).detach()

cassidylaidlaw commented 3 years ago

Thanks for finding this! I'm going to run some experiments with your suggested change and check what the results are, then I'll commit it to the repo.