Closed nottombrown closed 5 years ago
nottombrown
commented
5 years ago @carlini - Could you take a look at this? It uses just np because tf is hard to profile / optimize when doing multiprocessing. I plan to remove all the other implementations of the spatial attack and just use this.
I removed the valid_check feature, because I wasn't certain that it was necessary. If you think that it's important then I can add it back.
carlini
commented
5 years ago valid_check is important for MNIST. Otherwise you end up clipping the entire digit outside of the bounding box.
nottombrown
commented
5 years ago Ok, I’ll add it back tomorrow. On Thu, Oct 4, 2018 at 8:55 PM Nicholas Carlini notifications@github.com wrote:
valid_check is important for MNIST. Otherwise you end up clipping the entire digit outside of the bounding box.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/google/unrestricted-adversarial-examples/pull/52#issuecomment-427238643, or mute the thread https://github.com/notifications/unsubscribe-auth/AASt38mkfV7v22e1PCCCYBIigjySAegTks5uhtgagaJpZM4XJbRv .
nottombrown
commented
5 years ago Added back the MNIST check. Currently we still have two versions, but we can deprecate the old one at a later date.
Here are some sampled incorrectly classified images that the attack found on the keras resnet:
This is a simple spatial attack that just uses multiprocessing to generate candidate attacks. It will use all the available CPUs.
Profiling the attack, we find that it is CPU bound even when we have a machine with 32 available CPUs and a single P100 GPU.
(
run_attackcontains the GPU work)After optimizing, the attack takes ~45 minutes to run on the keras model and ~30 minutes to run on the pytorch model