Release the indices for sampled 1000 images about biased_boundary_attack HOT 4 CLOSED

Hi! Sorry for the late answer, I saw this only just now :(

We used this code to sample indices from the ImageNet validation set:

# Images to attack
np.random.seed(0)
indices = np.arange(50000)
np.random.shuffle(indices)
indices = indices[:1000]                    

# Adversarial target class per image
np.random.seed(0)
y_target = np.random.randint(0, 1000, size=len(indices)) `

This should be reproducible - to double-check, the image indices start with [11841, 19602, 45519, ...], and the target classes start with [684, 559, 629, ...]. Using our loader in dataset.py, this should correspond to target labels ['ocarina, sweet potato', 'folding chair', 'lipstick, lip rouge', ...].

from biased_boundary_attack.

Thank you for the update.

I noticed that when use vanilla boundary attack, the first several images get good adversarial examples. However, for the following images, the adversarial examples found are not so good. This can be seen from the size of log folder (this is the message after "du -hs * " in the log folder):

In other words, the performance of this attack degrades as time go on. I suspect this has something to do with the random number generator but things didn't change after I used other generators.

I would like to know if you have similar observations and if you know what's wrong here? Thank you.

from biased_boundary_attack.

Hi, I haven't observed anything like this, and I think this screenshot does not show a clear trend.

Dir sizes (number of logged images) deviate hugely and do not directly depend on attack success. For example, if the network is very unrobust for a specific image, the initializer (binary search to decision boundary) will find a good adversarial example after already 10 steps. Then, it's possible that little further progress is made after maybe 3000 more steps. In other cases, the attack might take many small, successful, steps, but still end up with a bad result.

To measure this directly, you could take the final L2 distance per img (from last .yaml file in each dir) and plot it against the img ID in ImageNet. To further check, one could invert the order of the indices and run again.

I do need to mention that only the img IDs are reproducible, while the random perturbations per attack step are not at this time, as they are generated in multiple threads. However I have run a huge number of evaluations and always gotten very similar results, so the issue has really never popped up for us.

from biased_boundary_attack.

Hi, thank you for the explanations and suggestions. I remembered I have done similar things before by getting the average L2 distance of first k images and the mean distance did go up as k increases. I tried to experiment on different machines but I still saw such a trend. I guess your result is correct but I am just confused about my experiments.

I guess I will reproduce this one when some gpus are available. Again thank you for the well written code.

from biased_boundary_attack.