trustworthy-ai-group / transferattack Goto Github PK

Excuse me, I have recently been borrowing your framework to test my method. I have noticed that in terms of improving transferability based on input diversity, your evaluation data for various methods below are all based on resnet18 as a proxy model. When I When using resnet101 as a proxy model to evaluate the following method, for the white box model, its effect is very low, only about 80%. I have not found the cause of the problem. I hope you can answer it.

想问一下，如何证明data数据被所选的网络预测正确呢？
我的方法: 直接对data数据进行eval测试，网络的攻击成功率应该是0？因为全部预测正确。但是得到的结果不为0啊？

Thanks for providing this useful work.
The function of init_delta in transferattack/attack.py seems questionable.

And, the L136 also seems problematic, which may be delta.normal_(). Besides, why the norm scaler nis constrained withdim=10` in L138?

If there are indeed bugs, I'm happy to create a PR as

    def init_delta(self, data, **kwargs):
        delta = torch.zeros_like(data).to(self.device)
        if self.random_start:
            if self.norm == 'linfty':
                delta.uniform_(-self.epsilon, self.epsilon)
            else:
                delta.normal_()
                n = torch.norm(delta.view(delta.size(0), -1), dim=1).view(-1, 1, 1, 1)
                r = torch.zeros_like(data).uniform_(0,1).to(self.device)
                delta *= r/n*self.epsilon
            delta = clamp(delta, img_min-data, img_max-data)
        delta.requires_grad = True
        return delta

I would like to ask whether the code of BSR and Admix method is consistent with the description in the paper. For example, in the code of BSR，I did not see the part of rotation operation for blocks mentioned in the paper. Also, I am confused about the Admix code "return torch.concat([admix_images / (2 ** i) for i in range(self.num_scale)])", is it scaling the blended image? I follow the given code and get the result is changing the brightness of the image. Thank you for your answer.
``

Thank you for your great work, this framework has been really helpful to me. Do you have any plans to reproduce the code of this paper into your framework? "Transferable Adversarial Attack for Both Vision Transformers and Convolutional Networks via Momentum Integrated Gradients" in 2023 ICCV.
In fact, I have some issues with MIG's approach, so that I can't reproduce its results. For example, the loss function in IG is the logits of the corresponding category or cross entropy, etc.

请问

出现运行错误，如何解决？

Hello, authors! Thank you for your excellent work. Notice that you report the performances of BPA on ViTs. However, only the open-source code of BPA for CNNs is provided. Would you mind releasing the relevant code for ViTs?

Thank you very much!

Look forward to your reply.

As the the name suggested, FFT work in the way of fine-tuning a given Adversarial example crafted with a baseline attack, such as CE, PO+Trip, Logit, logitMargin. It is transferability is heavily determined by the baseline attack. In other words, FFT is orthogonal to baselines, not comparable directly.
Our submit code is based on CE, which is the weakest. Hence, comparing FFT(CE) with other methods may not make sense.

Thank you for your excellent and solid work. I would like to ask when the related paper will be released. We would like to cite this paper in our recent submission.

look forward to your response.

您好！首先表达一下感谢，这个仓库的存在帮我节省了不少跑代码和查文献的时间。然后是我的问题，我在尝试复现 L2T 的结果时发现 TransferAttack 上的评估结果和其开源的仓库上的评估结果在 cnn 模型上有明显差异（单卡， batchsize=2 下测试），具体结果如下：

我注意到 L2T 的代码这里，和 TransferAttack 的这里 对 cnn 模型权重设置不同，将其设置为 DEFAULT 后的结果为：

我想 README 中所报告的结果可能需要更新一下，另外还应该补充一下这篇论文的链接 https://arxiv.org/abs/2405.14077 。此外，在 ir.py 的这里给的链接是一篇差分隐私的论文，我想正确的链接应该是这个：https://arxiv.org//abs/2009.11729

作者您好
请问这篇论文的pytorch的代码能实现到存储库吗？ 非常感谢！

1. Learning Transferable Adversarial Examples via Ghost Networks（ https://arxiv.org/abs/1812.03413 ）