issue about calculating the distortion of adversarial images

huanzhang12 / CLEVER

CLEVER (Cross-Lipschitz Extreme Value for nEtwork Robustness) is a robustness metric for deep neural networks

https://openreview.net/pdf?id=BkUHlMZ0b

Apache License 2.0

60 stars 20 forks source link

issue about calculating the distortion of adversarial images #9

Open EZ4DC opened 3 years ago

EZ4DC commented 3 years ago

Hello huanzhang,

I saw the 'The distortion of adversarial images are 0.1598, 0.82025, 0.85298 for the three targets.' in 'More Examples' of README.md. I want to know how to calculate the distortion by CW. Is the distortion a so-called perturbation ε？If true, I confuse，isn't the size of ε set artificially for attacking an image?

Thanks. Looking forward to your reply!

huanzhang12 commented 3 years ago

@EZ4DC Yes the distortion is the L2 norm of added adversarial noise, which is ε. In CW, ε is not set artificially. Instead you can tune the parameter c to indirectly control the size of the distortion, see the CW paper, the equation at the bottom of page 6. In table IV they report the mean of ε for all image (ε for each image is not fixed artificially; you try to find the smallest ε for each image).

EZ4DC commented 3 years ago

I got it. Thank again!