Robust Accuracy of StAdv Model

[pratyushmaini]

Hi, according to Table 2, (AT StAdv) model achieves >50% accuracy against StAdv attacks (bound = 0.05). I used the pre-trained models provided (stadv_0.05.pt) but got a robust accuracy of around ~40%. Can you confirm if this is indeed the case?

Thanks!

[cassidylaidlaw]

Hi, I looked back at the evaluation output and it looks like our evaluation did give a robust accuracy of 53.9% to that model. What exact parameters are you using for the attack? I can also re-run the evaluation and make sure the models didn't get mixed up or something.

[pratyushmaini]

Hey,
To get the model I used:
dataset, model = get_dataset_model( dataset='cifar', arch='resnet50', checkpoint_fname='cifar/stadv_0.05.pt', )
And to test the model I used:
attack = StAdvAttack( model, bound=0.05, )

I tried to follow the sample code in the starter notebook.

[cassidylaidlaw]

Hey, sorry for the slow response. By default, StAdv uses 20 iterations but we evaluated with 100 for the PAT paper. It looks like the StAdv attack may actually be less strong when using more iterations, which would explain the discrepancy. I believe this is because it uses a penalty term on the "smoothness" of the perturbation. Using more iterations of optimization could thus improve the smoothness but reduce the effectiveness of the attack. Hopefully the community can find better spatial attacks more suited to benchmarking. I'm currently evaluating the model you evaluated using StAdv with only 20 iterations to see if I get the same results.

[cassidylaidlaw]

Just confirmed that using only 20 iterations gives a robust accuracy for that model of 39.9%.

[pratyushmaini]

Thanks for checking this. One fix could be to make an early stop on finding a successful example.

Can you confirm which of the following models did you use for the numbers in the table in the main paper:
pat_alexnet_0.7.pt
pat_alexnet_1.pt

[pratyushmaini]

Can you also let me know where do you set the number of iterations?

[cassidylaidlaw]

I'll look into the early stopping. I thought the library mister_ed which has the StAdv implementation was already doing it, but maybe there's a bug or something.

If you look in the README under evaluation, there are the exact attacks used for evaluation in the paper. For instance, these are the ones for CIFAR-10:

python evaluate_trained_model.py --dataset cifar --checkpoint /path/to/checkpoint.pt --arch resnet50 --batch_size 100 --output evaluation.csv \
"NoAttack()" \
"AutoLinfAttack(model, 'cifar', bound=8/255)" \
"AutoL2Attack(model, 'cifar', bound=1)" \
"StAdvAttack(model, num_iterations=100)" \
"ReColorAdvAttack(model, num_iterations=100)" \
"PerceptualPGDAttack(model, num_iterations=40, bound=0.5, lpips_model='alexnet_cifar', projection='newtons')" \
"LagrangePerceptualAttack(model, num_iterations=40, bound=0.5, lpips_model='alexnet_cifar', projection='newtons')"

You can see that the number of iterations is set using num_iterations=100.

The README file in the checkpoints zip file describes exactly which checkpoints were used for each table in the paper—let me know if that answers your question.