@Buntender and me put forward this PR to improve Random attack evaluation.
We can obviously observe that when autoattack evaluates a model with relatively strong randomness (such as DiffPure), in the attack stage due to weak defense capability and random output error results, Attacker will be deceived and give up trying a stronger attack after a successful attack. This phenomenon can lead to higher false robustness measurements, and even worse results from stronger attacks on otherwise more robust models. Through multiple EOT evaluations and the "relatively lower accuracy" adversarial sample screening method, our PR avoids the problem of screening adversarial samples only once, making the evaluation of random defense more stable and accurate.
@Buntender and me put forward this PR to improve Random attack evaluation.
We can obviously observe that when autoattack evaluates a model with relatively strong randomness (such as DiffPure), in the attack stage due to weak defense capability and random output error results, Attacker will be deceived and give up trying a stronger attack after a successful attack. This phenomenon can lead to higher false robustness measurements, and even worse results from stronger attacks on otherwise more robust models. Through multiple EOT evaluations and the "relatively lower accuracy" adversarial sample screening method, our PR avoids the problem of screening adversarial samples only once, making the evaluation of random defense more stable and accurate.