search

machanic / TangentAttack

The official implementation of NeurIPS 2021 paper: Finding Optimal Tangent Points for Reducing Distortions of Hard-label Attacks
https://arxiv.org/abs/2111.07492
Apache License 2.0
16 stars 0 forks source link

Logical Question: clamp in tangent point #4

Open yangshengaa opened 10 months ago

yangshengaa commented 10 months ago

Hi! I really enjoy reading your code. It is well organized and documented. 😄

I have a small question on clamp and tangent point. In searching for tangent point, we break the while loop once the generated sample is an adversarial sample. We later clamp the sample to within a feasiable range, say [0, 1].

This is what I saw in the implementation in tangent_attack_hemishpere/attack_with_max_ball.py

def geometric_progression_for_tangent_point(self, x_original, x_boundary, normal_vector, true_labels, target_labels, dist, cur_iter):
        ...

        while True:
            ...
            tangent_point = tangent_point.view_as(x_original).type(x_original.dtype)
            success = self.decision_function(tangent_point[None], true_labels, target_labels)
            num_evals += 1
            if bool(success[0].item()): # * stops as long as it is an adversarial sample, although may not be in the range
               break
            min_radius /= 2.0   
        ...
        tangent_point = torch.clamp(tangent_point, self.clip_min, self.clip_max) # * clamp outside of the while loop
        return tangent_point, ...

I am wondering if this will cause an issue that it remains an adversarial sample prior to clamping but no longer an adversarial sample afterwards. This is in fact what I encounted in practice.

How does your team cope with this issue? It is not evident from the code that any downstream processing check valid an adversarial sample with this tangent point.

Thanks!

machanic commented 9 months ago

Thank you for enjoying my paper! What you said will never happen. Because in the while loop, we repeatly call def decision_function to judge whether such tangent point locates in the adversarial region, only when the def decision_function returns True will break the while loop. The first line of def decision_function also calls images = torch.clamp(images, min=self.clip_min, max=self.clip_max).cuda(), (https://github.com/machanic/TangentAttack/blob/main/tangent_attack_hemisphere/attack.py#L119), which is exactly the same with the clamp what you said about clampping the tangent point outside of the loop. Thus, that will never happen in my code.