search

mzweilin / EvadeML-Zoo

Benchmarking and Visualization Tool for Adversarial Machine Learning
https://evadeML.org/zoo
MIT License
183 stars 63 forks source link

The score threshold selection in train phase #6

Closed kaidi-jin closed 4 years ago

kaidi-jin commented 4 years ago

hi, thank you for your excellent work. Here are some my confusion I notice in the paper section V experimental setup. The train phase only need legitimate examples, not depend on the adversarial example. But in the implementation function in build_detection_dataset on the base.py file is : random.seed(1234) length = len(X_detect) train_ratio = 0.5 train_idx = random.sample(range(length), int(train_ratio*length)) train_test_seq = [1 if idx in train_idx else 0 for idx in range(length) ]

And I change the code to : train_idx = range(len(X_leg_all)) Is that right?

Anyway, both the setting get 100% acc on my CW attack adversarial data.

Besides, The comment code in function evaluate_detections on line 239:

Example: --detection "FeatureSqueezing? distance_measure=l1&squeezers=median_smoothing_2,bit_depth_4;"

    But the squeezers median_smoothing_2 not in the squeezer_list?

Is that the median_filter correspond local smoothing;non_local_means_color and non_local_means_bw correspond Non-local smoothing?

Thank you for your replay. 期待您的回复!

kaidi-jin commented 4 years ago

Update some new experiment result:

I use the Feature Squeezing on the vgg-face model with cw2 attack, and the result is 68% TPR on the median_filter_4_4. Better than the result bit_depth. It seems like normal.

But I encountered something strange, when I only use bit_depth_1 bit_depth_4 bit_depth_8 these three squeezer respectively. All of their threshold trained result is 0.000000. All the distance is 0 in the list returned from get_distance function. Is that the zero threshold result is reasonable? Where did I give the wrong parameters?

mzweilin commented 4 years ago

Hi @stuking , thanks for your interest in our work.

The adversarial examples in the training set is not required, because we would select the threshold value using legitimate examples only. But there's no harm to include adversarial examples.

A threshold value is picked so that the false positive rate on legitimate examples in training set is not larger than a specified value, such as 5%. A zero threshold value usually means the squeezing method barely changes the model prediction on legitimate examples --less than 5% legitimate examples have distance >0. It would be a great squeezing method if the distance is large for adversarial examples. But it could be useless if the distance of adversarial examples is often zero (e.g. an identity function). Please read our paper for more details.

We have changed the name of filters at some point. Please use "median_filter_2_2" instead of "median_smoothing_2". You can find more examples of the filter names on this page: https://github.com/mzweilin/EvadeML-Zoo/blob/master/Reproduce_FeatureSqueezing.md

I believe we can close the issue now.

Best, -Weilin