dtsip
commented
5 years ago Thank you for your submission! Would it be possible to refine your claims? The claims should correspond to the robust accuracy of your strongest model (be it fully-connected or convolutional) against different values of epsilon (preferably 1 to avoid cluttering the table). Specifically, we don't create separate entries for each attack (FGSM or PGD) and we don't include the improvement over the original baseline. All we are listing is the claimed robust accuracy, e.g., "80% robust accuracy against epsilon=0.3". (Robust accuracy corresponds to the accuracy against the worst case attack you can come up with.)
While not technically an obstacle for including the defense to RobustML, we noticed a few worrisome issues with the defense:
- The performance of PGD is not improving as you allow larger values of epsilon. This might indicate that PGD is not properly tuned (it may need larger step size or more steps).
- FGSM is often outperforming PGD especially for larger epsilon values. This might be an issue of not properly tuning PGD (see previous point) or the model having obfuscated gradients (see https://arxiv.org/abs/1802.00420).
- The performance of the defense in terms of robust accuracy appears to be below other entries in the table.
You may want to consider addressing these issues before listing the defense here.
jngannon
anishathalye
Defense: Linear output layer(no softmax), trained with quadratic cost, weights pruned based on smallest mean activated value.
Write-up: https://jngannon.github.io/FGSM_Article
Authors: James Gannon (james.gannon.82@gmail.com)
Code: https://github.com/jngannon/robustml-test-analysis
Does the code implement the robust-ml API and include pre-trained models: Yes
Claims: Fully connected networks: 78.2% robust accuracy against epsilon=0.1