fra31
commented
3 years ago Hi,
there are a few options, described here. In particular, run_standard_evaluation uses an attack on some point only if none of the previous methods has been successful, which is equivalent to taking the worst-case over the four attacks. If instead you use run_standard_evaluation_individual all attacks are run on the full input batch, and the results are returned separately (this is more time-consuming).
The target classes for APGD-T are chosen, for each point, as the most likely (with highest logits) ones except for the correct one. We use 9 as standard value since the commonly used datasets have at least 10 classes. We use the same also for ImageNet to keep a constant computational budget and since we observed it to be effective, but in principle any value in [1, 999] can be used. Also, we use targeted losses, in the context of untargeted attacks, since these provide more diverse and, when multiple restarts are available, stronger attacks.
Hope this helps, and let me know if you have further questions!
Yeez-lee
Hi, I am a primary learner and still feel little bit confused about the autoattack and target apgdt. (1) For the standard autoattack, do all images are attacked by 4 attacks respectively and calculate the average robust accuracy of 4 attacks after all? And in autoattack, are adversarial images for each attack saved respectively? (2) And for target apgdt, how the target label is found? I see that the number of target label is equal to the number of total class minus one for CIFAR-10. If I want to use it for the ImageNet, should I set n_target_classes = 999 or any number among 1-999? What's the principal for the target setting?
Looking forwards to your help! Thanks!