Criterion for adding a new models to existing list of defenses?

[VSehwag]

Thanks for releasing such a rigorous evaluation of existing works on adversarial defenses. It is immensely helpful to get more clarity on this topic. I wonder what is the criterion to add new models to the existing list of defenses?

In particular, I am wondering whether papers (such as https://arxiv.org/pdf/2002.10509.pdf), which study adversarial training (in particular the SOTA approach from Carmon et al., 2019) in a new setting qualifies for it? In particular, the aforementioned paper revisits the question "whether high capacity is necessary for adversarial robustness" from Madry et al., 2018 and shows that high robustness can be achieved even after removing up to 99% of the parameters.

In general, it could be nice addition in the repo to have an evaluation of works that directly do not aim to improve robustness, but try to preserve it in the presence of other challenges (such as label noise, pruning etc).

Thanks.

[fra31]

Hi,

I'm glad you find our work useful!

There is no preclusion to models from papers aiming at different aspects of adversarial robustness, like faster training or compressed models (e.g. we report the results from (Zhang et al., 2019a), (Wong et al., 2020), (Shafahi et al., 2019)). I think that it makes sense to evaluate also those models with strong attacks, but I agree that it should be clear which is the goal of the proposed method/defense.

To better track this information, I created here a template to get new models added to the list, so that it should be easier for everyone interested to find out more about the evaluated model (I'd add a link to such form in the list). I invite you to submit a model from https://arxiv.org/pdf/2002.10509.pdf through this procedure! In particular, it'd be very useful if you could include a script like this which runs the evaluation.

The other option would be, since you have code and pretrained models available, that I evaluate them myself, and then add a new entry to the list, but in this way it'd be more difficult to add comments about the nature of your models.

Let me know if this sounds reasonable, works or you have other suggestions!

[VSehwag]

Thanks for the prompt response. I am happy to include the evaluation script following the template. Just to make sure, in the template, robust accuracy refers to numbers calculated with the standard PGD-50/100 attacks (with/without restarts), not with the auto-attack?

[fra31]

If you have already run the evaluation you can insert the robust accuracy given by AutoAttack, otherwise that given by PGD is fine, only please specify this is the template for clarity.

[VSehwag]

Just to follow up on this thread, one suggestion will be to set up a leaderboard for adversarial robustness. Currently, we are missing a strong leaderboard, which is widely recognized, in the community. I think the current results are pretty exhaustive and can easily serve as a starting point for it. I am also happy to help with it if needed.

[fra31]

Well, the list we have may serve as a leaderboard. Or do you mean something different?

[VSehwag]

I think a dedicated webpage (similar to the spirit of https://paperswithcode.com/sota/image-classification-on-imagenet) will serve well. Maybe paperswithcode.com can host one for adversarial defenses based on your auto-attack.

[fra31]

I see what you mean. I agree, such page would be nice to have. If you're interested in discussing a bit more about this (and possibly collaborate) please drop me an email at francesco.croce@uni-tuebingen.de.

[siawpeng]

Thanks for the sharing. May I know if the evaluation of models on the front page is based on the default value of the eval.py (that is batch size 500 etc), changing only epsilon for several * models?

[fra31]

Hi,

the batch size has to be adjusted according to what fits into the GPU memory available (and larger models require smaller batches). For the evaluation we use the whole test set of CIFAR-10 or MNIST, then one has to parse --n_ex = 10000. You have also to specify the paths to the model, data and saving directory.

Overall, python eval.py --n_ex=10000 runs the AA evaluation, python eval.py --n_ex=10000 --plus the AA+ one.

Hope this answers your question!

[siawpeng]

Thanks a lot. It makes sense.